200-Ton Bridge Crane at RPSF

SAA00029
Rev. A
October 2005
SYSTEM ASSURANCE ANALYSIS
OF THE
200-TON BRIDGE CRANE
AT THE
ROTATION, PROCESSING and SURGE FACILITY (RPSF)
Baseline No.: 400.15 PMN: K60-0562

K60-0563
GROUND OPERATIONS
SAA00029
Rev. A
TABLE OF CONTENTS
1 SYSTEM ASSURANCE ANALYSIS SUMMARY .....................................................5

1.1 FINDINGS ..................................................................................................................... 5
1.2 AREAS OF CONCERN ...................................................................................................... 5
1.3 DOCUMENTATION LIST................................................................................................... 5
2 SYSTEM DESCRIPTION .....................................................................................6

2.1 Bridge ........................................................................................................................... 7
2.2 Trolley........................................................................................................................... 7
2.3 15-Ton Hoist.................................................................................................................. 7
2.4 200-Ton Hoist ................................................................................................................ 7
2.4.1 Emergency Drum Brake .................................................................................................. 7
2.4.2 Float Mode..................................................................................................................... 7
2.4.3 E-Stop........................................................................................................................... 8
2.4.4 Electrical Controls ........................................................................................................... 8
3 ANALYSIS GROUNDRULES .............................................................................19

4 FAILURE MODES AND EFFECTS ANALYSIS.....................................................20
4.1 CRITICALITY ASSESSMENT ........................................................................................... 20
4.2 FMEA WORKSHEETS ..................................................................................................... 41
4.2.1 Wire Harnesses, Cables and Connectors.......................................................................... 41
4.3 COMPUTER INTERFACE ANALYSIS................................................................................ 461
4.3.1 LAUNCH COMMIT CRITERIA (LCC) AND GROUND LAUNCH SEQUENCER (GLS)
COMPATIBILITY REVIEW ............................................................................................. 461
4.3.2 EMERGENCY (HARDWIRE) SAFING ANALYSIS ............................................................... 461
Appendix A. FAULT TREE AND HAZARD ANALYSIS

Appendix B. CRITICAL ITEMS LIST
LIST OF ILLUSTRATIONS
Figure 1. RPSF 200-Ton / 15-Ton Bridge Crane ................................................................................... 12
Figure 2. Removal of railcar cover...................................................................................................... 13
Figure 3. Lift of SRB Segment ........................................................................................................... 14
Figure 4. SRM Segment Lifting Operation............................................................................................ 15
Figure 5. Aft Skirt Handling ............................................................................................................... 16
Figure 6. RPSF Crane Control Panel.................................................................................................... 17
Figure 7. RPSF 200-Ton Main / 15-Ton Aux. Bridge Cranes, Function Block Diagram ............................... 21
Figure 8. Trolley Control System........................................................................................................ 29
Figure 9. Bridge Control System ........................................................................................................ 32
Figure 10. Hoist Control System ......................................................................................................... 35
Figure 11. PLC Block Diagram ............................................................................................................ 40
Figure 12. 200-Ton Main Hoist Mechanical Diagram .............................................................................. 42
Figure 13. Crane E-Stop Circuit .......................................................................................................... 49
Figure 14. 200-Ton RPSF Bridge Crane Fault Tree................................................................................A-1
LIST OF TABLES
Table 1. Finding Summary .................................................................................................................. 5

Table 2. Criticality Assessment Worksheet - K60-0562, K60-0563 ......................................................... 22
Table 3. Mechanical FMEA – 200-Ton Main Hoist.................................................................................. 43
3
SAA00029
Rev. A
Table 4. Electrical FMEA – E-Stop....................................................................................................... 50
Table 5. Electrical FMEA – Main Line Controls ...................................................................................... 52
Table 6. FMEA – Bridge Drive & Controls............................................................................................. 83
Table 7. FMEA – Trolley Drive & Controls .......................................................................................... 155
Table 8. Electrical FMEA – 200-Ton Hoist Drives & Controls................................................................. 221
Table 9. Electrical FMEA – Bridge & Trolley PLC ................................................................................. 332
Table 10. Electrical FMEA – Operators Supervisory PLC System........................................................... 375
Table 11. Electrical FMEA – Crane Supervisory PLC System ................................................................ 427
Table 12. Electrical FMEA – Air Conditioning ...................................................................................... 459
Table 13. Flexhose FMEA – Emergency Brake.................................................................................... 460
Table 14. Hazard Analysis Worksheet – K60-0562, K60-0563 ............................................................ A-35
4
SAA00029
Rev. A
1 SYSTEM ASSURANCE ANALYSIS SUMMARY
1.1 FINDINGS
Table 1. Finding Summary

Assessment
Reliability Criticality Critical
Safety Criticality Critical
Type Quantity
Critical Items 1 -
1S -
2 -
1R Non-CIL Items 1R 4
Critical Flexhoses 1S -
2 14
Critical Orifices 1S -
2 -
Critical Filters 1S -
2 -
Hazard Reports Accepted Risk 1
Controlled 1
1.2 AREAS OF CONCERN
There were no Areas of Concern identified with this system.
1.3 DOCUMENTATION LIST

Document/Drawing No. Title
1274 Fulton Shipyard 200/15 ton capacity crane
79K27158 200-Ton Main / 15-Ton Auxiliary Bridge Cranes SRB Facility
(OMRSD)
80K59317 RPSF 200-Ton crane emergency brake modification
80K60208 200-Ton Crane Drive and Controls Replacement, Specification for
80K60209 200-Ton Crane Drive and Controls Replacement, Modification
Ederer F-42784 Crane Control Elementary Drawings for 200 Ton Bridge Crane
Launch Complex 39, Rotation Processing Facility High Bay K6-494
FSOP 6100 USA Florida Safety Operating Plan
• Appendix S
• Safety Operating Procedure 23 (RPSF Operations)
F2726 RPSF Project • SIS PLC Software
• Bridge & Trolley PLC Software
• Electromagnetic Compatibility Test Report
5
SAA00029
Rev. A
Document/Drawing No. Title
KHB 1710.2 Kennedy Space Center Safety Practices Handbook, Annex G
NASA-STD-8719.9 Standard for Lifting Devices and Equipment
OMI Q3508 200-Ton Bridge Cranes Operating Instructions
OMI Q6311 Maintenance Instructions of the Bridge Cranes Emergency Stop
System
M_Q6322.01 Monthly Maintenance Instructions for the 200-Ton Bridge Cranes,
RPSF
S_Q6322.01 Semi-annual PM Instructions for the 200-Ton Bridge Cranes, RPSF
A_Q6322.01 Annual PM Instructions for the 200-Ton Bridge Cranes, RPSF
L_Q6322.01 Annual Load Test and Hook Magnaflux Check
SLO-KSC-1991-010 KSC Suspended Load Operation Analysis / Approval
Aft Booster Disassembly
SLO-KSC-1991-012 KSC Suspended Load Operation Analysis / Approval
Aft Booster Assembly
GFK-0898E GE Series 90-30 Programmable Controller I/O Module Specifications
2 SYSTEM DESCRIPTION
This analysis covers the 200-Ton main and 15-Ton auxiliary cranes at the RPSF. The 200-Ton crane is used
to perform the operations necessary in the RPSF from receipt of SRM components through preparation for
transfer to the VAB for stacking.
There are two 200-Ton / 15-Ton bridge cranes, the forward #1 crane (PMN K60-0562) and aft #2 crane
(PMN K60-0563). Both bridge cranes operate on the same runway rails, which are 74 ft. 6 inches above the
floor, and run in the east-west direction. The 200-Ton cranes can be used individually or in tandem for lifting
and rotating solid rocket motor segments.
The following operations utilize the 200-Ton crane:
x Railcar cover removal and installation using lifting beam H77-0304 and spacer car kit U77-1325 (See
Figure 2).
x End cover removal for grain inspection, and installation, using 24-Ton Adapter, Dynamometer, Lifting
Lug kit H77-0408 and Nylon Sling.
x Off-load / inspect and On-load of loaded segments using Lifting Beam H77-0388 and Breakover
Handling Beam H77-0382-1.
x Off-load and on-load of Nozzle Extension using Utility Beam H77-0354.
x Lifting / lowering of the Aft Skirt on transport dolly H77-0231 using Aft Skirt Handling Sling H77-
0191-1.
x Installation of left / right Aft Skirt Assemblies in RPSF work stand using Aft Skirt Handling Sling H77-
0191-1, Lifting Lug Kit H77-0153 and Crane Hook Adapter H77-1346 (See Figure 5.)
x Load segment handling rings on Lowboy using 24-Ton adapter, eyebolts (part of H77-0408 kit) and
Utility Lifting Beam H77-0354.
x Segment transfer from pallet and staging segments on pallet.
6
SAA00029
Rev. A
2.1 Bridge
The bridge supports the trolley and the hoists. The bridge has two motors, one on each end of the bridge.
Two motor encoders and a Selsyn monitor the speed and direction of the motor to ensure its performance is
as directed by the operator. The speed of the bridge is from 0 – 1.5 ft/min (0.3 in/sec) with the speed
selector switch in the “fine” position, and 0 – 30 ft/min. (6 in/sec) in the “coarse” position. The bridge tends
to skew on the rails. A laser skew system is installed to help correct skewing of the bridge. The skew
system will provide a correction signal to the Bridge and Trolley PLC, which will output a correction signal to
the applicable bridge motor to decrease motor speed as necessary to correct for skewing. Should the bridge
be commanded greater than 30% of full speed, and either of the slow limit switches be tripped, the Bridge &
Trolley PLC software will slow the bridge speed to 30% of full speed. A final travel limit switch will halt bridge
travel in each direction, however, the operator can “back-out” by moving the bridge in the opposite direction.
2.2 Trolley
A single motor set, which is similar in operation to the bridge motors, powers the Trolley. The Trolley moves
along the length of the bridge. The speed of the trolley is from 0 – 1.5 ft/min (0.3 in/sec) with the speed
selector switch in the “fine” position, and 0 – 30 ft/min. (6 in/sec) in the “coarse” position. Should the trolley
be commanded greater than 30% of full speed, and either of the slow limit switches be tripped, the Bridge &
Trolley PLC software will slow the trolley speed to 30% of full speed. A final travel limit switch will halt trolley
travel in each direction, however, the operator can “back-out” by moving the trolley in the opposite direction.
2.3 15-Ton Hoist

The 15-Ton crane is limited to handling of non-critical ground support equipment. The gearbox is a single
failure point as there is not a drum brake installed.
2.4 200-Ton Hoist

The hoist is capable of operation in 2 speed modes; Fine (0 - 1.5 ft/min or 0.3 in/sec) and Coarse (0 - 7
ft/min or 1.4 in/sec). The high-speed switch position (0 – 10 ft/min or 2 in/sec) has been re-allocated for
use as a hoist joystick disable, since the joystick can be bumped during float mode operation, which would
cause a fault, halting system operation. There are redundant motor brakes, each of which is capable of
holding the load. The hook, at its minimum height from the floor, is approximately 2 feet. The maximum
hook height is 74 feet, 6 inches. The hoist has two wire ropes, each individually capable of holding the load.
2.4.1 Emergency Drum Brake

The emergency brake is a 6-piston caliper, spring-set, hydraulically released, disc brake. The spring pressure
keeps the brake applied. Hydraulic pressure is applied via a solenoid valve to release the brake. When the
solenoid valve is energized, 3000-psi hydraulic pressure is applied to the emergency brake, pressing against
the spring pressure, thus releasing the brakes. In event of loss of power or loss of hydraulic pressure, the
springs will automatically set the brake.
The emergency brake can be tripped in two ways. The operator in the crane cab, or an observer, can press
the e-stop button, which trips the main power contactor, removing power to the entire crane (which includes
the emergency brake circuit). When power is removed, the emergency drum brake engages.
The other way is if the Safety Instrumented System (SIS) Supervisory PLC’s detect any hoist fault, the hoist
permissives will be removed, which will cause power to the emergency drum brake circuit to be removed,
resulting in the brake setting.
2.4.2 Float Mode

This mode of operation is where motor torque, and not the hoist brakes, is used to hold the load in position,
and allows for very small incremental adjustments in the hoist position. In float mode, the speed is variable
from 0 to 0.5 ft/min up or down. Float mode is initiated by the operator. This is accomplished by moving
the hoist speed select switch to the “float” position (which inhibits a hoist fault in case the hoist joystick is
accidentally bumped while in float mode, which would cause a fault), pressing the thumb button on the hoist
7
SAA00029
Rev. A
joystick, stepping on the foot pedal and then moving the rotary switch in the direction required. The hoist
float potentiometer must be in the center (zero speed) position when entering and exiting float operation, or
a fault will occur.
2.4.3 E-Stop
An E-Stop is available on each of the operators consoles in both crane control cabs. When either E-stop
pressed, main 480 VAC supply power to both cranes will be removed, which will cause all brakes to set,
including the emergency drum brake. The crane will be in a safe configuration. A remote E-stop pendant is
also available for use by observers and will also remove power and set the brakes.
The E-stop is considered a 2nd level of redundancy to the SIS supervisory PLC. The SIS supervisory PLC’s
function is to monitor system operation and detect if failure occurs. Should the SIS not detect or respond to
a hardware failure and safe the system, the operator can press the E-stop. Therefore, the E-stop would be a
3rd failure, after a system failure and a SIS supervisory PLC failure. The SIS cannot however, monitor and
detect operator error. Should operator error cause imminent danger to personnel or flight hardware, only
moving the joystick back to the center off position or the E-stop is available to halt system operation.
2.4.4 Electrical Controls

There are two crane cabs, one for each 200 / 15-Ton crane, located in one divided control booth. An e-stop
is present in each control cab as well as remote e-stop pendant(s) for observers, and when activated,
removes power to both cranes and all brakes will set, including the emergency drum brake. When the power
to the drive motors is off, or controls are in the neutral position, the motor brakes will be set.
The theory of operation of the analog input and output modules is beyond the scope of this analysis, but a
brief statement of their operation will be made. Refer to the vendors technical manual for explanation of
operation. The Analog input modules take an analog signal, filter the signal, and use an analog-to-digital
converter to convert the analog signal to a digital word, and finally send it through a parallel-to-serial
converter for storage in the PLC data table for use by the CPU and software. The analog output module
reverses this operation. It takes the digital word from the data table, sends the data through a serial-to-
parallel converter, to a digital-to-analog converter, through a filter and finally out to the end user device.
Trolley:
The operator controls the trolley by operating a joystick. The joystick allows the operator to move the trolley
by providing speed, direction, speed range selection (fine [slow] / coarse [high]), and motor brake release
control. The joystick incorporates redundant directional contacts and potentiometers for speed control.
Speed control is accomplished by dual potentiometers on the joystick. One potentiometer provides a (+/-)
0 –10 VDC input to the Supervisory System PLC for monitoring purposes; the other potentiometer provides
the voltage to actually control the trolley speed. The theory of operation for the dual potentiometers is that
both pots should output the same voltage. The supervisory PLC is provided with a voltage, so it knows the
expected speed of travel. If the actual speed, as provided by the motor encoder and Selsyn, is not as
expected by supervisory PLC, then the permissives will be removed and bridge / trolley operation will be
halted. Direction control is sent directly to the Bridge & Trolley PLC via the direction contacts in the joystick,
and a redundant direction contact provides direction information to the supervisory PLC via relays.
The Bridge and Trolley PLC “scales” the input voltage, depending on the speed range selected by the
operator (fine or course). The Bridge and Trolley PLC then outputs a (+/-) 0 –10 VDC voltage to the
(Bridge/Trolley) Drive Power Module, which is the voltage that determines the actual operating speed of the
motor.
Direction, speed range and brake release information from the joystick is provided to the Bridge and Trolley
PLC (General Electric PLC, Non-safety certified). Additionally, the same information is provided to the
Supervisory system PLC for error detection monitoring. The Bridge and Trolley PLC then process the speed
and direction inputs and outputs data to the Bridge / Trolley Drive Power Modules. These power modules
then issue a command to release the brake(s) and provide 460 VAC 3-phase power to the Bridge / Trolley
8
SAA00029
Rev. A
motor to operate it in the desired direction and speed. Two motor encoders are provided on the motor. The
primary motor encoder is used to provide a feedback control signal to the Trolley Drive Power Module. The
secondary motor encoder provides motor speed and direction information to the Crane Supervisory PLC. The
actual motor speed and direction (via the secondary motor encoder output) is compared to the commanded
speed and direction. If the monitored speed or direction is not the same as the commanded speed or
direction, the Supervisory PLC’s will remove the “permissives” and cause the bridge & trolley to cease
operation. In addition, the motor shaft drives a Selsyn. The Selsyn is used to drive the digital display in the
operators cab to allow the crane operator to move the trolley in very small increments. The Selsyn output is
also provided as an input to the Operators Supervisor PLC. This input is compared to the secondary encoder
input. This comparison is to determine if the secondary motor encoder and the Selsyn have a 0 delta. If the
difference is greater than 0, a fault is generated and bridge & trolley operation is halted.
Limit switch inputs are provided to the bridge and trolley PLC. There are slow and stop limit switches, for
each travel direction. The slow limit switches will cause the bridge and trolley PLC to automatically switch the
speed to 30% of fast speed, if the operator is not already in slow speed mode. The stop limit switches, if
tripped, will cause the bridge and trolley PLC to halt bridge and trolley operation. The operator can “back-
out” of a stop limit switch by operating the trolley in the opposite direction.
Bridge:
The controls for the bridge operation are identical as described in the trolley section above with just a couple
of differences. The trolley has 1 motor drive and the bridge has two motor drives that are driven
simultaneously from one joystick input. The encoder setup is slightly different on the Bridge motors. One
bridge motor has 1 encoder (which provides a feedback control to the Bridge Drive Power Module) and a
Selsyn, and the other bridge motor has 2 encoders (one encoder providing feedback control to the Bridge
Drive Power Module and one encoder provides motor speed and direction monitoring to the supervisory PLC),
with no Selsyn. The Bridge Drive Power Modules have an additional output that the Trolley Drive Power
Module does not have. A “Greater than set point” output is provided to the Bridge and Trolley PLC, laser
skew operation. Otherwise, operation is the same.
Hoist:
The hoist operates differently than the bridge and trolley. The joystick output is applied directly to the Hoist
Drive Power Module, via relay logic, and is monitored by the Supervisory PLC’s. If the commanded speed
and direction is not the same as the monitored speed and direction, the Supervisory PLC’s remove the
“permissives”, and cause the hoist to cease operation. The Supervisory PLC monitors a hoist motor
tachometer and hoist drum tachometer for discontinuity between motor speed and drum speed. There is a
single load cell installed for the RPSF crane. The load cell provides an input to the Crane Supervisory PLC.
The torque value from the Hoist Drive DC Power Module is supplied to the Crane Supervisory PLC as well. If
the load cell data and the last stored value in the Supervisory PLC do not agree within a specified amount,
then the supervisory system will remove the hoist “permissives” causing the hoist to cease operation.
If no errors are detected, the supervisory system enables the mainline electrical controls by issuing both
“permissives”. This energizes an “enable” relay contact closure allowing power to be applied to the control
circuit, joystick power supply is enabled, power is supplied to the Selsyns, the mainline contactor which can
remove 460 VAC 3 –phase power to all of the cranes systems, except the lights, motor heaters and the
equipment cabinet air conditioners.
In the event of a load cell failure, a keyed on/off switch is installed, which allows the load cell to be bypassed.
A rheostat (potentiometer) can then be adjusted to allow the operator to provide a preload to the hoist motor
controller. This will preset a torque value for the hoist motor on startup. This prevents hoist motion from
having to start at zero torque.
The high-speed mode of operation for the hoist is no longer available. The high-speed position on the speed
select switch has been reallocated for use as a float enable. The joysticks do not lock in the center position.
During testing of the float mode, the joystick could be bumped, which would cause a hoist fault condition.
Therefore, the high-speed switch position will be used as a “float enable” which will inhibit a hoist fault due to
bumping the hoist joystick.
9
SAA00029
Rev. A
Supervisory System:
In order to achieve fail-safe design requirements, two safety certified PLC’s have been installed. These PLC’s
are Allen-Bradley GuardPLC 2000, TUV certified, for safety applications. The safety certified PLC’s utilize
redundant CPU’s in a single PLC controller. Every output of a safety PLC has built-in monitoring. Each logic
circuit contains a test point after each of two safety switches located behind the output driver, as well as a
third test point downstream of the output driver. Each of the two safety switches is controlled by a unique
microprocessor. If a failure is monitored at either of the two safety switches due to switch or microprocessor
failure, or at the test point downstream from the output driver, the operating system of the safety PLC will
automatically acknowledge system failure, and default to a known state, facilitating an orderly shutdown.
These PLC’s perform supervisory monitoring of the motor drives speed and direction, and all operator
controls. One PLC serves as a Crane Supervisory PLC, and the other as an Operator Supervisory PLC. The
Operators Supervisory PLC monitors the operators commands to the crane, and the Crane Supervisory PLC
monitors selected bridge, trolley and hoist system parameters. Their function is to monitor system
operation, comparing commanded input with system output. The objective is to determine if the bridge,
trolley and hoist are operating as commanded by the crane operator. The hoist and the bridge & trolley have
been separated. In the event improper operation is detected, either supervisory PLC is capable of removing
power to either the hoist or bridge & trolley, as applicable. In the event of a hoist failure, the bridge & trolley
will still be operational to allow the load to be moved to a safe location to be lowered. Should the bridge or
trolley fail, the hoist will remain operational to be able to safely lower the load. In event of a hoist fault, the
SIS will remove power to the hoist and set the emergency drum brake. In the event of a power fault,
communications fault, or a fault in either SIS PLC, all permissives will be removed, halting all hoist operation.
In the event that the emergency stop switch is pushed, the mainline contactor will open, removing power to
the entire crane (hoist and bridge & trolley).
Each of the supervisory PLC CPU’s has a watchdog processor that monitors the operation of the CPU. In
addition, the watchdog processor is tested by the CPU. The watchdog monitors the function of the processor.
In case of certain faults, the watchdog switches all outputs to the de-energized state. This will remove the
permissives, and cause a shutdown of the crane. The Supervisory PLC’s do not issue any hoist or crane
operational control commands except for removing the permissives to the mainline electrical controls.
Both of the supervisory PLC’s are connected together by a safety certified Ethernet communication
connection. The communication between the two PLC’s meets the requirements of SIL Level 3 (Safety
Integrity Level). This allows the PLC’s to communicate. Each PLC has one permissive for the hoist and one
permissive for the bridge & trolley. Should a fault be detected, each PLC will remove its permissive (de-
energize a relay), which will cause the power to be removed from the applicable part of the system, halting
either the hoist or the bridge & trolley. The hoist and bridge & trolley have separate permissives so that if a
hoist fault is detected the bridge & trolley will continue to be operational, and vise versa. Should a hoist fault
occur, the bridge & trolley could be operated to move a segment to a safe location where it can be lowered,
instead of leaving it on the hook as a suspended load.
EMI:
Electromagnetic interference and susceptibility within the control system is controlled by the use of
suppression coils on all relays, and RF shielded cabinets to eliminate undesired responses and emission from
the equipment. The crane control system was tested for Electromagnetic emission and susceptibility
requirements of MIL-STD-461C, Requirement UM05, Class C3 for commercial electrical and
electromechanical equipment. The test was conducted by Boeing Electromagnetics at Ederers manufacturing
facility in Seattle, Washington.
10
SAA00029
Rev. A
Crane Operational Speeds

Bridge and Trolley
Range Speed (ft/min) Max Speed Maximum Assumed Maximum distance
(in/sec) Operator Reaction Time traveled in 5 seconds
Fine 0 – 1.5 fpm 0.3 in/sec 3 seconds (or less) 0.9 inches
Coarse 0 – 30 fpm 6.0 in/sec 3 seconds (or less) 18 inches
Hoist
Fine 0 – 1.5 fpm 0.3 in/sec 3 seconds (or less) 0.9 inches
Coarse 0 – 7 fpm 1.4 in/sec 3 seconds (or less) 4.2 inches
High* 0 – 10 fpm 2.0 in/sec 3 seconds 6 inches

*High speed disabled (currently used as a float mode enable)
Float Mode
0 - 0.5 fpm 0.1 in/sec 3 seconds (or less) 0.3 inches
11
SAA00029
Rev. A
Figure 1. RPSF 200-Ton / 15-Ton Bridge Crane
12
SAA00029
Rev. A
Figure 2. Removal of railcar cover
13
SAA00029
Rev. A
Figure 3. Lift of SRB Segment
14
SAA00029
Rev. A
Figure 4. SRM Segment Lifting Operation
15
SAA00029
Rev. A
Figure 5. Aft Skirt Handling
16
SAA00029
Rev. A
Figure 6. RPSF Crane Control Panel

Bridge & Trolley Controls
17
SAA00029
Rev. A
Hoist Controls
18
SAA00029
Rev. A
3 ANALYSIS GROUNDRULES
This analysis has been developed in accordance with NSTS 22206 and NSTS 22254.
The following additional groundrules and assumptions were used during this analysis:
a. The 15-Ton Auxiliary Hoist is not certified for critical lifts. It will not be used for lifting of flight
hardware, or lifting of GSE over personnel or flight hardware, as there is not a drum brake installed
and the gearbox would be a single failure point, which would allow the load to drop should it fail. It
can be used for lift and moving GSE around the RPSF as long as it is not over personnel or flight
hardware (non-critical lifts).
b. When operating the 200-Ton hoist in float mode, the load will not be held stationary for more than 30
seconds to prevent overheating the hoist motor.
c. When the load is within 10 feet of any structure or personnel, and the crane is being operated in
coarse speed, the crane operator is required to select fine speed. Should a control system failure
occur where the bridge, trolley or hoist does not change from coarse speed to fine speed, there will
be adequate distance (time) for the operator to press the e-stop to halt crane operation. Therefore,
operator intervention will be considered adequate to mitigate a failure to change speed from coarse to
fine.
When the load is within 3 feet of personnel or structure (stands, platforms, etc), the bridge, trolley
and hoist will be operated in the “fine” (slow) speed mode of operation (1.5 ft/min or 0.3 in/sec).
Operator intervention (which is assumed to be 3 seconds or less) will be considered available since
the distance traveled in slow speed in 3 seconds will be less than 1 inch. Therefore, operator
intervention will be considered adequate for mitigation of single failure points in the FMEA should the
crane not cease operation on time.
d. The high-speed mode of operation for the hoist is not currently available. Should the high-speed
mode of operation become available at some point in the future, it will need to be assessed at that
time.
e. The thumb button switches and related circuitry, for the bridge and trolley, which allow for manual
release of the brakes, is installed, but is currently disconnected to render it inoperable.
f. The two hoist motor brakes and the emergency drum brake are not considered redundant since they
serve different functions. The emergency drum brake is only used in event of an over-speed of the
drum (due to a gearbox failure), a supervisory PLC detected hoist failure, or if the crane operator or
observer hits the e-stop switch. The motor brakes are the normal way of holding the load.
g. Based on discussions with USA Design, USA Systems Engineering and NASA Cranes, failure of the
Bridge and Trolley brakes to set, or inadvertently release, could allow undesired motion of the bridge
or trolley to occur. However, the consensus of the engineering judgment is that any inadvertent
motion of the bridge or trolley, as a result of brake failure, is unlikely due to the shear weight of the
crane, and that the drives bring the motor to zero speed. The brakes are not intended to stop the
bridge or trolley. Therefore, loss of life or damage to flight hardware would not occur and thus will be
considered non-critical, and will be assessed as such in this analysis. Therefore, no FMEA will be
performed for the bridge or trolley brakes. Additionally, the laser skew alignment system, used to
compensate for skewing of the bridge, is also considered a non-critical function. Should it fail, the
bridge will skew, the wheels will bind, and halt motion. No FMEA will be performed.
19
SAA00029
Rev. A
h. The emergency stop (E-stop) cannot protect the crane against a catastrophic failure, which would
result in dropping the load (wire rope failure, hook failure, and perhaps a gearbox failure). A gearbox
failure is protected by emergency drum brake. The E-stop can be used to protect against a control
system failure, or operator error if time allows. A safety certified PLC is installed to monitor for a
control system failure. Should a failure occur in the bridge, trolley or hoist resulting in speed faster
than commanded, operation in a direction other than commanded, failure to cease operation when
commanded, simultaneous direction commands, etc., the SIS is designed to detect this and halt
crane operation. The SIS cannot detect and protect against running a segment into structure or a
work stand due to operator error. The SIS can detect and react to a system or control failure much
more quickly than the operator can implement an emergency stop. Therefore, an initial system or
control failure is required as well as the SIS failing to detect and halt crane operation, and the E-stop
would have to fail. Therefore, the E-stop will be considered a third failure, and will be assessed
accordingly in the FMEA.
i. Two certified crane operators are present during both hazardous and non-hazardous crane
operations, in each crane cab. If the crane operator becomes incapacitated, the second operator will
press the e-stop to halt system operation. The joysticks are spring loaded to return to the center
“off” position automatically when released. This “deadman” feature on the joysticks will be
considered a criticality category 3 failure based on this rational.
Recommendation:
USA Reliability requested that the SIS monitor the E-stop circuit. If the operator should press the E-stop,
the SIS would detect such action and remove all system permissives, halting all crane operation
(providing redundancy). The reason for the request is that there are undetectable failures that could
cause the E-stop circuit to not work if required. Were the SIS monitoring for operation of the E-stop
switch, then the SIS would also shutdown the crane whether the E-stop circuit worked or not. This would
not eliminate all E-stop failures, as is currently designed, but would eliminate some of them. This feature
was not implemented. However, based on ground rule h above, the E-stop is considered a 3rd failure,
after a system failure and the SIS fails to detect and react to safe the system. The SIS PLC was
developed to be an “automatic E-stop”, to monitor for system failures, and halt system operation when a
failure is detected. The manual E-stop is the only method to protect against operator error however.
4 FAILURE MODES AND EFFECTS ANALYSIS
4.1 CRITICALITY ASSESSMENT
20
SAA00029
Rev. A
INPUTS OUTPUTS
Electrical Power 200 Ton Main Hoist

480 VAC, 3 phase - Raise / Lower the load
- Hold the Load
- Hook Rotation
Operator Control
200-Ton Main / 15-Ton
Auxiliary Cranes 15 Ton Auxiliary Hoist
at the RPSF - Raise / Lower the load
The Load - Hold the Load
Bridge
- Structural Support
- Motion
- Brake
Trolley
- Structural Support
- Motion
- Brake
Control System
Supervisory System
E-Stop
Laser Skew Tracking
Air Conditioning
Accessories
- Lights
- Convenience Electric Outlets
- Motor Heaters
Figure 7. RPSF 200-Ton Main / 15-Ton Aux. Bridge Cranes, Function Block Diagram
21
SAA00029
Rev. A
Table 2. Criticality Assessment Worksheet - K60-0562, K60-0563 Pages 22 to 28
System/Subsystem: 200-Ton RPSF Bridge Crane / Forward [#1] and Aft [#2] Cranes Baseline Number: 400.15
Location: RPSF
Effect of Loss/Failure
Input/ Time If Function Fails to Operate or Cease Operation on Time, Fails Crit/
Output Function Period During Operation, and/or Prematurely Operates Noncrit Notes
Input
Electrical Power Supplies power for As Required Failure of electrical power during operation would result NC See SAA09EL30-001
- 480 VAC, 3 operation of RPSF in brakes setting and crane being rendered inoperable.
phase 60 Hz bridge crane hoist,
bridge and trolley.
Operator Control Controls crane SRM segment Operator error during critical lifting operations could C See Hazards Analysis
operations. handling result in loss of life, or loss / damage of flight hardware.
operations
Load to be lifted Flight and non-flight NA NA NA

hardware to be lifted.
Output
200-Ton Hoist
• Raise / Lower Raises and lowers the Handling of Failure of the mechanical capability of the hoist resulting C See Table 3. Mechanical FMEA – 200-
the load load as required to flight in uncontrolled descent of the load, could result in loss of Ton Main Hoist
(Dynamic) support processing hardware life due to inadvertent ignition of a SRM segment or
operations. dropping the load on personnel while working under a
suspended load, or loss / damage of flight hardware.
A failure of the electrical control system resulting in C See Table 8. Electrical FMEA – 200-Ton
premature operation, failure during operation or failure Hoist
to cease operation on time, could result in undesired
motion, speed or direction of the Hoist and could result
in loss of life, or loss / damage of flight hardware.
22
SAA00029
Rev. A
Location: RPSF
• Hold the load Supports lifting / SRM segment Failure to hold the load allowing the load to have un- C See Mechanical FMEA
(Static) lowering of critical handling controlled descent could result in loss of life due to See Electrical FMEA
flight hardware. operations inadvertent ignition of a SRM segment or dropping the
load on personnel while working under a suspended
load, or loss / damage to flight hardware.
• Hook rotation Rotates the load Handling of Premature operation or failure to cease operation NC
flight resulting in rotation of the hook while supporting a SRM
hardware segment would not result in loss of life or loss / damage
of flight hardware.
15-Ton Hoist
• Raise / Lower Raises and lowers the As required Failure of the mechanical lift capability of the hoist could NC See Ground Rule 3.a
the load load. result in dropping of non-flight hardware could result in
(Dynamic) loss / damage of GSE or facility.
A failure of the electrical control system resulting in NC See Ground Rule 3.a
premature operation, failure during operation or failure
to cease operation on time, could result in undesired
motion, speed or direction of the Aux. Hoist and could
result in dropping of non-flight hardware could result in
loss / damage of GSE or facility.
• Hold the load Supports non-critical As required Failure to hold the load allowing the load to have un- NC See Ground Rule 3. a
(Static) lifting operations. controlled descent could result in loss / damage of GSE
or the facility.
23
SAA00029
Rev. A
Location: RPSF
Bridge
• Structural Provides a stable Continuous Structural failure of the Bridge would allow uncontrolled C The structure is considered passive and
Support platform to support motion of the load (SRM segment), and could result in no FMEA is required per NSTS 22206
the Trolley and 200 / loss of life due to inadvertent ignition of an SRM paragraph 4.4.1.a.6
15 ton hoists. segment or dropping the load on personnel, or loss /
damage to flight hardware.
• Motion Controls positioning Handling of Failure of the Bridge electrical control system, resulting C See Table 6. FMEA – Bridge Drive &
of the Bridge for SRM flight in failure to cease operation, inadvertent motion, or Controls
segment handling. hardware operation in a direction other than commanded or speed
greater than commanded, could result in loss of life due
to impact with personnel or inadvertent ignition as a
result of impact or friction of the SRM segment.
Mechanical failure of the bridge resulting in a sudden N/C

loss of motion would not cause the load to swing
sufficiently to cause the load to impact personnel
resulting in loss of life, or structure resulting in
inadvertent ignition of the segment resulting in loss of
life.
• Brakes Holds the Bridge in a Handling of Failure of the bridge brakes to set, or inadvertent setting NC See Ground Rule 3.g
stationary position flight or release of the brakes would not result in loss of life, or
once stopped. hardware loss/damage of flight hardware.
Trolley
• Structural Provides a stable Continuous Structural failure of the Trolley would allow uncontrolled C The structure is considered passive and
Support platform to support motion of the load (SRM segment), and could result in no FMEA is required per NSTS 22206
the 200 / 15 ton loss of life due to inadvertent ignition of an SRM paragraph 4.4.1.a.6
hoists. segment or dropping the load on personnel, or loss /
damage to flight hardware.
24
SAA00029
Rev. A
Location: RPSF
• Motion Controls movement Handling of Failure of the Trolley electrical control system, resulting C See Table 7. FMEA – Trolley Drive &
of the Trolley for SRM flight in failure to cease operation, inadvertent motion, or Controls
segment handling. hardware operation in a direction other than commanded or speed
greater than commanded, could result in loss of life due
to impact with personnel or inadvertent ignition as a
result of impact or friction of the SRM segment.
Mechanical failure of the trolley resulting in a sudden N/C

loss of motion would not cause the load to swing
sufficiently to cause the load to impact personnel
resulting in loss of life, or structure resulting in
inadvertent ignition of the segment resulting in loss of
life.
• Brake Holds the Trolley in Handling of Failure of the trolley brake to set, or inadvertent setting NC See Ground Rule 3.g
stationary position flight or release of the brake would not result in loss of life, or
once stopped. hardware loss/damage of flight hardware.
Control & Supervisory System:

• Supervisory PLC based monitoring Continuous Failure during operation, to detect an off nominal or out C See Table 10. Electrical FMEA –
System system, monitors of tolerance condition, and either providing an erroneous Operators Supervisory PLC System
(Crane and bridge, trolley and “permissive” or failing to remove the “permissive”, could
Operators hoist system allow the bridge or trolley to operate or continue to See Table 11. Electrical FMEA – Crane
Supervisory operations and if an operate in an unsafe condition, and could result in loss of Supervisory PLC System
PLCs) out of tolerance life due to inadvertent ignition or an SRM segment or
condition is detected, impact with personnel.
will either inhibit, or
halt, crane operation.
25
SAA00029
Rev. A
Location: RPSF
Failure during operation, to detect an off nominal or out C See Table 10. Electrical FMEA –
of tolerance condition, and either providing an erroneous Operators Supervisory PLC System
“permissive” or failing to remove the “permissive”, could
allow the 200-ton main hoist to operate or continue to See Table 11. Electrical FMEA – Crane
operate in an unsafe condition. This could result in Supervisory PLC System
uncontrolled operation of the load, and could result in
loss of life due to inadvertent ignition, or loss/damage to
flight hardware.
• Bridge & Trolley Accepts inputs from Continuous Failure of the Bridge and Trolley PLC could result in C See Table 9. Electrical FMEA – Bridge &
PLC the bridge and trolley unsolicited output or failure during operation resulting in Trolley PLC
operator controls, uncommanded bridge or trolley motion, operation in a
and from the motor direction other than commanded or speed greater than
power modules. commanded. This could result in SRM segment impact
Controls bridge & with personnel resulting in loss of life, or with structure
trolley operation. resulting in loss of life due to inadvertent ignition of an
SRM segment, or damage to flight hardware. (Note:
Bridge & Trolley PLC does not monitor or control the
hoist.)
Other Functions:
E-stop Removes the main Hazardous Failure of the E-stop to operate when required could C See Table 4. Electrical FMEA – E-Stop
460 VAC power to condition result in SRM segment impact with personnel or See Ground Rule 3.h.
the crane, placing the inadvertent ignition of an SRM segment and result in
crane in a safe loss of life, or loss / damage of flight hardware.
condition with brakes
set.
26
SAA00029
Rev. A
Location: RPSF
Air Conditioning Provides conditioned Continuous Loss of ability to maintain the equipment enclosure C See Table 12. Electrical FMEA – Air
air (heating/cooling) within the required temperature / humidity environment Conditioning
to crane electrical could allow critical crane electrical equipment and
control equipment controllers to fail or operate erratically, resulting in loss
enclosures. of, erroneous or inadvertent command / monitoring
functions resulting in undesired operation of the bridge,
trolley or hoist. This could result in loss of control of the
load and result in loss of life.
UPS Provides backup Continuous Loss of power would result in loss of error code retention NC
power to the Crane in the Supervisory PLC’s.
and Operators
Supervisory PLC’s for
retention of error
codes should an E-
stop be issued,
removing power from
the system.
Provides power Continuous Loss of power conditioning could allow noise on the NC
conditioning to facility AC power line to cause nuisance faults, resulting
joysticks, encoders, in the Supervisory PLC to halt system operation
selsyns, bridge & unnecessarily.
trolley PLC.
Laser Skew Determines the skew Continuous Failure, or improper operation, of the laser skew tracking NC See Ground Rule 3.g
Tracking angle of the bridge system will cause the bridge motors to not track in
while traveling and tandem, and will cause the bridge to “crab”. Loss of, or
provides a correction improper tracking will not result in loss of life, or loss /
factor to the Bridge damage of flight hardware.
and Trolley PLC which
will adjust the speed
of the appropriate
bridge motor to
correct the skew
angle.
27
SAA00029
Rev. A
Location: RPSF
Power to Crane Provides for lights, As required Failure of accessories would not cause the crane to drop NC
Accessories electrical outlets, etc the load or otherwise damage flight hardware.
for the crane.
28
SAA00029
Rev. A
120 VAC
TBR TFS
I
TBC A
TT To Crane Sup. TCS
PLC Slot 4
Fine
TT
TFS G Trolley Selsyn Trolley Sensor Encoder
Coarse Receiver (TSR) Amplifier (TSEA)
To Operator Sup. TBC TBR
TCS H
PLC Slot 5
Trolley Joystick • North Direction
To Bridge & Trolley
• South Direction Trolley Distance
CCR3 PLC Slot 7 Dial
To Mainline Control • Fine Speed Display (TDD)
Indicator
Permissive (enable) • Course Speed xxx.xx
• Thumbswitch
North-Slow
North TN
To Bridge &
Trolley PLC South-Slow
South Slot 7 Trolley Selsyn
TS H Encoder (TSE)
North-Stop
Thumb Button B
(Brake Release)
TT South-Stop
To Operators Sup.
Speed PLC Slot 3
Potentiometer 10 VDC From
Joystick TMOL
Speed Power Supply TMTS
Potentiometer To Crane Sup.
PLC Slot 2
Trolley J
Drive
Speed To Bridge & Trolley
Reference C PLC Slot 3
Voltage
+/- 10 Trolley Drive "PES" Trolley
VDC Power Module Encoder Amplifier
E To Operator Sup (PTEA)
PLC Slot 2 North
Brake Release
South TBR A
From Bridge &
Trolley PLC Slot 8
F
Brake Release
Sprocket
Base Block
Trolley Selsyn
Transmitter
(TST)
460 VAC
From Bridge & Trolley Drive
Trolley PLC Slot 5
D Speed Ref. Sec. Motor Encoder
TBC Chain
Voltage Feedback Control
Legend: +/- 10VDC Pri. Motor Encoder
Input to PLC in FIG. 11 460 VAC Trolley Trolley

Brake
3 Phase Power Motor Gearbox
Connection on current Sprocket

Coupling Coupling
or another page
(not to a PLC)
Motor Overheat RPSF Crane Block Diagram

/ Overload
07/07/2004 page 1 of 12
Figure 8. Trolley Control System
29
SAA00029
Rev. A
A
Bridge
Sup.
Perm
(BSP)
Brake Release Relays
Relay
Fine Primary
TFS FeedBack
Motor
Encoder
Relay
Coarse
TCS
B&T B&T Crane
Trolley
PLC PLC Sup.
Drive Trolley
Slot 7 Slot 8 Secondary PLC
Software
Power Trolley Encoder
Relay Motor
North Module Motor Amplifier
TN B&T B&T Encoder
(TDPM) (PTEA)
Relay PLC PLC
South Software
TS Slot 3 Slot 5
Trolley
Trolley Trolley Trolley
Thumbswitch Selsyn
Selsyn Selsyn Selsyn Operators
Encoder
Transmitter Receiver Encoder Sup. PLC
Amplifier
(TST) (TSR) (TSE)
Speed (TSEA)
Potentiometer
Speed
Potentiometer A
Trolley
Distance
Display Bridge Cab
(TDD) Sup. Perm
(BCSP)
Command
Monitoring
Trolley Block Diagram
30
SAA00029
Rev. A
Frequency
Trolley_disp_counter_value Generator
(Op. Sup. PLC, Software Software Trolley_fine_display_fault (430)
Trolley_disp_freq Scaling Trolley_disp_freq
Channel A Slot 3, Ch. A2 Function Function
Channel B Slot 3, Ch. B2)
Trolley_course_display_fault (431)
sht 20/76 sht 40
Trolley
Selsyn
Encoder
Trolley_finespd_select Scale trolley

Trolley (Op. Sup. PLC, slot 5) commanded
Fine / Course
speed based
Speed Select
Trolley_coursespd_select on selected Trolley_cmd_rpm
switch
(Op. Sup. PLC, Slot 5) speed range
sht 38
Trolley_speed_sel_fault (404)
Relay CM2 / CM2R) sht 23
Trolley_no_spd_sel_fault (405)
Trolley_jstick_speed_ref
Trolley secondary
(Op. Sup. PLC,
joystick potentiometer
Slot 2, Ch. I2)
check for
Relay TN Trolley_jstick_north joystick
(Trolley (Op Sup. PLC, direction Trolley_jstick_dir_con_fail (402)
North) Slot 5, Ch. I17) contact failure
and joystick
Trolley joystick pot zero
Relay TS Trolley_jstick_south failure
(Trolley (Op. Sup. PLC, Trolley_jstick_pot_zero_fail (403)
South) Slot 5, Ch. I18) sht 24
Trolley
Secondary
Motor
Encoder
Trolley_enc_counter_value
(Crane Sup. PLC,
Channel A Slot 2, Ch. A1
Channel B Slot 2, Ch. B1) Trolley_speed_check
Motor
Response
vs.
Frequency Convert
Command
Generator Secondary Motor
Software Encoder freq to
Trolley_mtr_freq Scaling Trolley_enc_freq Trolley_motor_rpm sht 39/82
Function rpm
Faults
sht 60/76 sht 38 410
-
414
Trolley Trolley
North South
Light Light
Trolley
Brake
Fault 420
Trolley_brake_contactor
(Crane Sup. PLC, sht 39
Slot 4, Ch. I3)
Trolley_brake_fault (420)
Trolley SIS Software diagram
31
SAA00029
Rev. A
120 VAC
BBC BB1R BB2R
BB1R BB2R BFS

R
BBC BCS A
BT To Crane Sup.
PLC Slot 4
BT
Fine
To Bridge
BFS S B1GS & Trolley Bridge Selsyn Bridge Sensor Encoder
Coarse PLC Slot 6 Receiver (BSR) Amplifier (BSEA)
To Operators B2GS
BCS
Sup. PLC Slot 5 T
Bridge Joystick • Fine Speed
• Course Speed CCR3 BDPM1 BDPM2 Bridge Distance
To Mainline Control • Bridge East Dial Display (BDD)
• Bridge West Indicator
Permissive (enable)
• Thumb Button East-Slow xxx.xx
East West-Slow
BE
To Bridge &
Trolley PLC
East-Stop
Slot 6
West Bridge Selsyn
BW T
West-Stop Encoder (BSE)
Thumb Button
(Brake Release)
Skew Correct O
BT
To Operators
Speed Sup. PLC Slot 3
Potentiometer 10 VDC From BM1OL
Joystick
Speed Power Supply Bridge Drive 2
Potentiometer Power Module
(South Motor) BM2OL
To Crane Sup.
Bridge Z PLC Slot 2
Drive
Speed To Bridge & Trolley
Reference P PLC Slot 3
Voltage
+/- 10 Bridge Drive 1 "PES" Bridge
VDC To Operator Sup. Power Module Encoder Amplifier
Q PLC Slot 2 (North Motor) (PBEA) A
East
Bridge Brake South Motor Only
Release
West
BB1R Sprocket
From Bridge & U1
Trolley PLC Slot 8 Brake Release Bridge Speed Bridge Selsyn
> Setpoint Transmitter (BST)
Base Block B1GS
Bridge Drive Ready
460 VAC Belt

Sec. Motor Encoder
BBC
From Bridge & V1 Bridge Drive (north motor only)
Trolley PLC Slot 4 Speed Ref.
Feedback Control Pri. Motor Encoder
Voltage
+/- 10VDC (north & south
motors) To Bridge Motor
Brake #2
460 VAC Bridge Bridge
Brake
3 Phase Power Motor 1 Gearbox
Sprocket
Coupling Coupling
Bridge Motor Drive 1 shown. Bridge Motor Thermal Switch

to B & T PLC, Slot 7
Drive 2 Power Module (South motor) is RPSF Crane Block Diagram
similar. 06/14/2004 page 2 of 12
Figure 9. Bridge Control System
32
SAA00029
Rev. A
A
Bridge
Sup.
Perm
Brake Release Relays (BSP)
Relay
Fine
BFS
Relay
Coarse FeedBack Primary
BCS
B&T B&T Motor
PLC PLC Encoder
Bridge
Slot 6 Slot 8
Software
Drive 1 Bridge
Relay Motor Crane
East Power
BE B&T B&T (North) Sup. PLC
Module Bridge
Relay PLC PLC (BD1PM) Secondary
West BW Encoder
Slot 3 Slot 4 Motor
Amplifier
Encoder
Thumbswitch (PBEA)
Speed Software
Potentiometer
Bridge FeedBack Primary

Drive 2 Motor
Speed Power Encoder
Potentiometer Module Bridge Operators
(BD2PM) Motor Sup. PLC
(South) Bridge
Bridge Bridge Bridge
Selsyn
Selsyn Selsyn Selsyn
Encoder
Transmitter Receiver Encoder
Amplifier
(BST) (BSR) (BSE)
(BSEA)
A
Bridge
Distance
Display
(BDD)
Bridge Cab
Sup. Perm
(BCSP)
Command
Monitoring
Bridge Block Diagram
33
SAA00029
Rev. A
Frequency
Bridge_disp_counter_value Generator
(Op. Sup. PLC, Software Software Bridge_fine_display_fault (330)
Bridge_disp_freq Scaling Bridge_disp_freq
Channel A Slot 3, Ch. A1 Function Function
Channel B Slot 3, Ch. B1)
Bridge_course_display_fault (331)
sht 19/76 sht 37
Bridge
Selsyn
Encoder
Bridge_finespd_select Scale bridge

Bridge (Op. Sup. PLC, slot 5) commanded
Fine / Course
speed based
Speed Select
Bridge_coursespd_select on selected Bridge_cmd_rpm
switch
(Op. Sup. PLC, Slot 5) speed range
sht 35
Bridge_speed_sel_fault (304)
Relay CM2 / CM2R) sht 23
Bridge_no_spd_sel_fault (305)
Bridge_jstick_speed_ref
Bridge secondary
(Op. Sup. PLC,
joystick potentiometer
Slot 2, Ch. I1)
check for
Relay BE Bridge_jstick_east joystick
(Bridge (Op Sup. PLC, direction Bridge_jstick_dir_con_fail (302)
East) Slot 5, Ch. I11) contact failure
and joystick
Bridge joystick pot zero
Relay BW Bridge_jstick_west failure
(Bridge (Op. Sup. PLC, Bridge_jstick_pot_zero_fail (303)
West) Slot 5, Ch. I12) sht 24
Bridge
Secondary
Motor
Encoder
Bridge_enc_counter_value
(Crane Sup. PLC,
Channel A Slot 2, Ch. A2
Channel B Slot 2, Ch. B2) Bridge_speed_check
Motor
Response
vs.
Frequency Convert
Command
Generator Secondary Motor
Software Encoder freq to
Bridge_mtr_freq Scaling Bridge_enc_freq Bridge_motor_rpm sht 36/82
Function rpm
Faults
sht 60/76 sht 35 310
-
314
Bridge Bridge
West East
Light Light
Bridge
Brake
Fault 320
Bridge_brake_contactor
(Crane Sup. PLC, sht 36
Slot 4, Ch. I2)
Bridge_brake_fault (320)
Bridge SIS software diagram
34
SAA00029
Rev. A
A
Hoist Hoist Hoist
Motor Drum Load
Hoist Joystick Tach Tach Cell
Raise / Lower Relays
Direction Relays
Relays Hoist Hoist Hoist

Thumbswitch Relay Motor Drum Load
Tach Tach Analog
A Isolator Isolator Output
Speed (HMTI) (HDTI) (HLAO)
Potentiometer
Speed
Potentiometer
A
Hoist
Sup.
Perm
Hoist Float Switch (HSP)
Raise / Lower Relays A

Direction
Relays
Hoist
Brake
Speed Release
Potentiometer Relays
(HB1C
&
Speed HB2C)
Potentiometer
A
Crane
Hoist
Sup.
Drive
Hoist Motor Torque Value PLC
Power
Module
Speed Select (HDPM)
Switch
FeedBack Control Primary
Motor
Fine Encoder Software
Coarse A
Relays Hoist
Secondary
Hoist Hold Hoist Encoder
Motor
Motor Amplifier
Selected Encoder
(PHEA)
Operators
Sup. PLC
Hoist
Hoist Hoist Hoist
Selsyn
Selsyn Selsyn Selsyn
Load Bypass Encoder
Transmitter Receiver Encoder
switch Amplifier
(HST) (HSR) (HSE)
Relay Relay (HSEA)
A
Upper & Lower
A
Travel Limit Relays
Switches Hoist
Distance
Display Hoist Cab
(HDD) Sup. Perm
Float Foot Switch Relays (HCSP)
Figure 10. Hoist Control System
35
SAA00029
Rev. A
120 VAC
14
Hoist Drive Joystick

To Mainline Control
Permissive (enable)
To Operator Sup.
Raise
1
PLC Slot 5
CCR2 HNE
12 HR
Lower II
10 HJR
HL HMBOL HMBC
Thumb Button
(Float Mode Brake 2
Release) HT HDRP HC HJL
3
Speed 10 VDC
HPM CHMCO HE
Potentiometer From HFR
Joystick
Speed Power 12 13
Potentiometer Supply HNE HC HB1 4 HB1C MM
9 HFL
To Crane Sup.
HB2 HB2C PLC Slot 4
Hoist HT HP HFP
Speed To Hoist Drive DC
Reference 7
Power Module
Voltage HUS
HGULS HCS HCR
+/- 10 VDC 5
To Operator Sup.
GG
PLC Slot 1
HLS HHS HHR
HGLSS
6 HLB HLR
Hoist Drive Float Potentiometer &
Rotary Switch (HDFP) HBUM HMBC HMT
Hoist Motor Thermal
To Mainline Control Overload
Permissive (enable) To Operator Sup.
LL
PLC Slot 5 HB1C HB1R
4 To Crane Sup.
Raise PLC Slot 4
Hoist Foot HP 12
12 FR KK Pedal Switch HB2B HB2R
Lower To Operator Sup.
FL PLC Slot 5
Speed
Potentiometer 10 VDC From Fine
Joystick
Speed Power Supply HFS
Potentiometer
Coarse To Operator Sup.
JJ
PLC Slot 5
Hoist Float HCS
Speed Hoist Hold
Reference 8 To Hoist Drive DC
Power Module (Float Mode)
Voltage HHS 12
+/- 10 VDC
To Operator Sup.
HH
PLC Slot 1 To Operator Sup.
NN
Manual Load Set PLC Slot 2
(Keyed)
HLB
RPSF Crane Block Diagram

09/10/2005 page 3 of 12
36
SAA00029
Rev. A
Hoist Drive DC Power Module A

XR
Energize
11
7 Hoist Joystick Hoist 460
Speed Reference VAC Power HPR
8 Hoist Float Hoist Selsyn Hoist Sensor

Speed Reference Receiver (HST) Encoder Amplifier
XS
1 HNE
E-Stop When De-energized Hoist Distance
Dial Display
Indicator
X171 xxx.xx
Operator Entered Load Ref. Hoist
HLR Motor
3 Encoder
Hoist Enable
HE
6 Hoist Motor Temp Hoist Selsyn Encoder
HMT (HSE)
X175 To Operator Sup.
AA
Armature Current Meter PLC Slot 4
Armature Volt Meter
Field Current Meter
T100 Technology Board

115 VAC / Hoist Load
4 Hoist Brake 24 VDC P/S Cell Display
Acknowledge (HLCD) Hoist
HB1C HB2C
XXXXXX Load CC
Output
Hoist Float Torque Value BB To Crane Sup.
PLC Slot 1 To Crane Sup.
Permissive PLC Slot 1
HFP
Hoist Brake
Hoist Coarse 1 Release HB1 Hoist
Speed 9 Load
HCR Cell
Float speed Hoist Brake
Selected 2 Release HB2
HHR
Control Room
13 Hoist Joystick
Armature
HJR Raise To Crane Sup.
Current
460 VAC PLC Slot 3
Power
Hoist Float FF
Raise 30/60/90
HUS HFR
Manual Load
Input
5 Hoist Joystick Lower
PES Hoist
HLS HJL NN Encoder To Crane Sup. PLC Slot 1
Amplifier
HC Hoist Float Lower (PHEA) DD EE
HFL
2 A
Hoist Drive
Ready For 10
460 VAC
Power HDRP
Power Hoist
Hoist Hoist
Selsyn Hoist Motor Hoist Drum
M Motor Motor
Transmitter Tach (HMTI) Tach (HDTI)
Armature Encoder
(HST)
XF1
Hoist Motor
XF2
Field 150 /
Electronics Power
300 VDC RPSF Crane Block Diagram
06/14/2004 page 4 of 12
14
37
SAA00029
Rev. A
I
Frequency
Hoist_disp_counter_value Generator
Hoist (Op. Sup. PLC, Software Sht
Selsyn Hoist_disp_freq Hoist_dsp_rpm Software Hoist_fine_display_fault (281)
Channel A Slot 4, Ch. A1 Function 33
Encoder Channel B Slot 4, Ch. B1) Function Hoist_course_display_fault (282)
sht 20/76 Hoist_float_display_fault (280)
sht 34
Hoist_finespd_select
(Op. Sup. PLC,
Slot 5, Ch. I9) Scale hoist
commanded
Hoist Hoist_coursespd_select speed based Set Hoist
Fine / Course / Float Hoist_cmd_rpm
(Op. Sup. PLC, on selected Deadband
Select switch Sht 22
Slot 5, Ch. I8) speed range sht 25
Hoist_float_select sht 25
(Op. Sup. PLC,
Slot 5, Ch. I7)
E
Hoist_jstick_speed_ref
(Op. Sup. PLC,
Slot 1, Ch. I3)
CCR2 sht 23 Hoist_speed_sel_fault (205)

Hoist_no_spd_sel_fault (206) check for
Hoist_jstick_raise joystick Hoist_jstick_dir
(Op Sup. PLC, direction _con_fail (210)
Slot 5, Ch. I1) contact failure
and joystick
pot zero
Hoist_jstick_lower failure
Hoist Hoist_jstick
Secondary (Op. Sup. PLC, _pot_zero_fail (211)
Motor Encoder
D Slot 5, Ch. I2) sht 24
Hoist_enc_counter_value
(Crane Sup. PLC,
A Channel Slot 3, Ch. A1 A
B Channel Slot 3, Ch. B1)
Hoist Hoist_speed_check
Motor
Frequency Response
Generator vs. E
Software Command
Convert
Function encoder freq
sht 29/82
Hoist_mtr_freq Scaling Hoist_enc_freq to rpm Hoist_motor_rpm
sht 61/76 Faults
sht 25 212 -
216
H B
Hoist Hoist
Up Down Hoist_brake_1_contactor
Light Light (Crane Sup. PLC,
Slot 4, Ch. I1)
Hoist
Brake
Hoist_brake_2_contactor Fault
(Crane Sup. PLC,
C Slot 4, Ch. I7) sht 30
(Hoist Foot switch & thumbswitch) F
G float_speed_check
Hoist_brake_fault (240)
38
SAA00029
Rev. A
F
I
Hoist_foot_switch
(Op Sup. PLC,
Float_dir_con_fail (220) Slot 5, Ch. I4)
sht 24
E sht 26 float_sequence_fault (230)
Float_pot_zero_fail (221) Hoist_brake_pbutton
(Op. Sup. PLC,
(Hoist Float Select)
Slot 5, Ch. I3)
sht 27 float_no_brake_fault (232)
hoist_float_speed_ref
Convert (Hoist Brakes 1 and 2) C

Hoist_float_raise Speed input
(Op Sup. PLC, to
Slot 5, Ch. I5) RPM
sht 25
enter_float_fault (231)
Hoist_float_lower sht 27
(Op. Sup. PLC, (Hoist Float Select) E
Slot 5, Ch. I6) hoist_float_cmd_rpm exit_float_fault (233)
Set Hoist Float Float_speed_check G

Deadband
sht 28
Float Mode
Motor
Response E (Hoist Float Select)
vs
Command
hoist_motor_rpm Float
sht 29/82
Faults
B 222 -
226
(Hoist_enc_freq) H
Hoist_drum_tach
(Crane Sup. PLC, Scaling hoist_mtach_scaled tach_speed_fault (250)
Slot 1, Ch. I8)
sht
tach_dir_fault (251)
61 / 62 / 63
Hoist_motor_tach
(Crane Sup. PLC, Scaling hoist_dtach_scaled henc_vs_hmtach (252)
Slot 1, Ch. I3)
(Hoist Secondary Motor Encoder) A
Software
(Hoist Brakes 1 and 2) C
Function
Float_hold_fault (270)
sht 31/32
(Hoist Joystick raise / lower) D Hoist_drive_load_trq
(Crane Sup. PLC,
Slot 1, Ch. I2)
(Hoist Float Select) E Load_cell_pin
(Crane Sup. PLC,
Slot 1, Ch. I1)
sht 64 hoist_load_fault (260)
(Hoist Thumbswitch & Footswitch) F Load_check_bypass
(Op. Sup. PLC,
Slot 2, Ch. I3)
(Hoist Brakes 1 and 2) C
39
SAA00029
Rev. A
120 VAC 120 VAC
Battery UPS M UPS / Battery Status Battery UPS N UPS / Battery Status
Crane Supervisor PLC (Allen-Bradley GuardPLC 2000) Operators Supervisor PLC (Allen-Bradley GuardPLC 2000)
0 1 2 3 4 5 6 0 1 2 3 4 5 6
Analog Encoder
Power CPU Analog Encoder Encoder Discrete Power CPU Analog Input Encoder BLANK
Supply Module Discrete
Input Module Module I/O BLANK BLANK Supply Input Mod. Module
Mod. (PPP) Mod. I/O
(PPP) (PPEM) (PPEM) (PPIOM) (PPS) (PPAM) (PPEM) (PPEM)
(PPS) (PPIOM)
(PPAM) (PPAM)
• Bridge Supervisory Permissive (BSP) • Bridge Cab Sup. Perm (BCSP)

• Hoist Supervisory Permissive (HSP) • Hoist Cab Sup. Perm (HCSP)
• Hoist/Bridge/Trolley Travel
BB CC J FF I Trolley Brake Release GG E Q B AA
Direction Indicator Lights
• "PES" Fault Lights
DD Z R Bridge Brakes Release HH NN
O G Trolley Electical Controls
EE MM Hoist Brakes Release N S Bridge Electical

UPS
Joystick Power Controls
Supply Voltage Hoist Joystick Raise /
M UPS Status Monitor Lower, brake Thumb II KK Hoist Float
Button Raise / Lower
Safety Certified Ethernet Connection Hoist Speed Selection JJ LL Hoist Foot switch
(Fine/coarse/high) float mode
Bridge and Trolley PLC (General Electric)
1 2 3 4 5 6 7 8 9 10
P/S CPU Co- Analog Analog Analog Discrete Discrete Discrete

Processor Input Output Output Input Input Output Blank Blank
(BTPLCPS) (BTPLCP) (BPLCCP) (BTPLCAI) (BPLCAO) (TPLCAO) (BPLCDI) (TPLCDI) (BTPLCDO)
120 VAC from To Trolley Drive

Bridge / Trolley North F
Power Module
Control Xfmr Bridge
Laser
C V1 V2 D T H To Bridge Drive
Skew
U1 U2
Power Modules (1/2)
Sensor Bridge Trolley From From
Speed • Skew Detect Ready Light
P Speed Bridge Trolley
Output Output to electrical electrical • Skew Fault Light
South to Bridge Trolley controls controls
Trolley
Bridge Drive DC Drive DC and
and
Laser Power Power Bridge
Bridge
Skew Modules Module motor
Joystick
Sensor speed thermal
inputs switches
RPSF Crane Block Diagram

06/05/2004 page 5 of 12
Figure 11. PLC Block Diagram
40
SAA00029
Rev. A
4.2 FMEA WORKSHEETS
The Failure Modes and Effects Analysis follows.
The following components were considered passive in the analysis:
Crane structure & rails

Hook
Load Block
Wire Rope
Sheaves
Rope Drum
4.2.1 Wire Harnesses, Cables and Connectors
All wire harnesses, cables, and connectors were analyzed in the Electrical FMEA Table(s) for failure of
functions assessed in Section 4.1 for this system that result in loss of life or vehicle, (Ref. NSTS 22206,
Paragraph 4.4.1.b.2).
41
SAA00029
Rev. A
Crit
1R
Crit
1R
FMN: .001
FMN: .002
Figure 12. 200-Ton Main Hoist Mechanical Diagram
42
SAA00029
Rev. A
Table 3. Mechanical FMEA – 200-Ton Main Hoist Pages 43 to 48
System/Subsystem: 200-Ton RPSF Bridge Crane / Drawing No.: F-42784, F44500,
PMN: K60-0562, K60-0563 F-44309
Reference: Figure 12
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
e. Correcting Action Failure Effect On
Find No. f. Time to Effect Failure Effect On Vehicle Systems Crit
Part No. Part Name Part Function g. Timeframe System Performance And/Or Personnel Safety Cat
23 Motor Provides torque for hoist a. No output Normal hoist operation: No effect. Correcting action 3
GE CD506AT operation. b. Internal electrical Loss of motor torque would result prevents loss of life, or
failure of motor in loss of ability to hold the load. loss/damage to flight
windings Load would have uncontrolled hardware.
c. N/A descent.
d. Hoist Drive Power
module monitors Float Mode:
torque and supplies When operating in “Float Mode”,
torque value to Crane the motor torque is the load
supervisory PLC. Motor holding capability. The motor
encoder also provides brakes are not set during “Float
motor speed and Mode” operation. Should a motor
direction to Crane failure occur during “Float Mode”
supervisory PLC as well operation, the load would have
as a Selsyn provides uncontrolled descent.
motor speed and
direction to Operators Triple failure required.
Supervisory PLC.
e. Supervisory system
compares commanded
speed and direction to
actual speed and
direction. If they are
not the same, then
both supervisory
system PLC’s will
remove their
permissive, causing the
brakes to set and
safing the crane.
f. Seconds
g. Instantaneous
43
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44309
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
22 Motor brakes (2 ea) Hold load in position when a. Fails to engage Redundant holding brake will set. No effect. Correcting action 3
hoist motor is not b. Mechanical failure of If both holding brakes fail, the will prevent loss of life, or
operating. both hoist brakes, load will begin to descend. damage to flight hardware.
Internal failure of Hoist
Either brake is capable of Drive DC Power Module
holding the load. T100 Technology Board
brake release output
fails high (on).
c. N/A
d. The Crane supervisory
PLC will detect
uncommanded motion
and remove the
emergency drum brake
permissive
e. The emergency brake
will be tripped to hold
load
f. Seconds
g. Instantaneous
Fails to disengage Load cannot be raised or lowered. No effect. 3
44
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44309
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
5 Hoist Gear Case Transmits power from the a. Gear Disengagement Load would free fall. The hoist No effect. Subsequent failure 1R
(includes gear hoist motor to the drum. b. Excessive gear wear, motor brakes would be of the emergency brake to
reducer, drum pinion structural failure of ineffective. Emergency drum engage would allow
and gear set) gears or shafts brake would automatically be uncontrolled descent of the
c. 00029.001 activated and safe the load. load. Possible loss of life.
d. Over-speed detection
circuit
e. Crane and Operators
Supervisory PLCs will
remove emergency
brake permissive,
causing emergency
drum brake to set and
safe the load
f. Seconds
g. Instantaneous
20 Brake coupling Provides mechanical link Key disengagement Loss of single holding brake and No effect. 3
between electrical motor motor drive capability. Second
and holding brake and holding brake or emergency drum
gear reducer. brake will hold the load.
50 Coupling Provides mechanical link Key disengagement Loss of over-speed detection No effect. 3
between electrical motor (set screw sheared) would render automatic
shaft and over-speed (will be identified as a emergency brake activation
tachometer. cause of the over-speed inoperable. Manual emergency
detection circuit failure) brake activation available by e-
stop.
45
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44309
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
31 Emergency drum The emergency brake is a. Fails to engage Load would drop uncontrolled if Potential for loss of life. 1R
brake spring operated. Springs b. Solenoid valve fails to coupled with failure of the gear
press the caliper against change state to relieve case. (Motor brakes would be
the drum. While the hydraulic pressure to ineffective). A prior failure of the
crane is in operation allow the e-brake to hoist gearbox and subsequent
(powered up), the set, relay CTR contact failure of the emergency brake to
emergency brake is fails closed, spring engage, would allow uncontrolled
normally released by an failure in caliper, worn descent of the load.
energized solenoid valve, brake pads
which applies hydraulic c. 00029.002
pressure against the d. None
spring action of the e. N/A
caliper, thus holding the f. N/A Loss of emergency drum brake No effect. 3
emergency brake in the g. N/A capability. Requires prior failure
released position. In of both motor brakes. Triple
event of an over-speed of failure required.
the hoist drum or loss of
power to the crane, or if
the emergency stop
button is pressed, the
solenoid valve will be de-
energized, releasing the
hydraulic pressure,
allowing the brake to set
and hold the load.
Fails to disengage Emergency drum brake remains No effect. 3

engaged. Hoist will not operate.
46
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44309
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
6 Gear Belt The hoist motor shaft Belt breaks or otherwise Unable to turn both the hoist No effect. 3
turns a pulley, which the comes off of the pulley secondary motor encoder and
gear belt is attached. The hoist Selsyn transmitter, resulting
belt is attached to another in loss of data to the supervisory
pulley attached to a shaft, PLC. The supervisory PLC
which drives the performs a check between the
secondary motor encoder hoist secondary motor encoder
and hoist Selsyn and the hoist motor tach
transmitter. readings. If a discrepancy is
detected (which would indicate a
broken belt), then a fault
(henc_vs_hmtach, fault 252) will
cause the hoist to halt operation.
Slips The secondary motor encoder No effect. 3

and hoist Selsyn transmitter
would output erratic data. The
supervisory PLC performs a check
between the hoist secondary
motor encoder and the hoist
motor tach readings. If a
discrepancy is detected (which
would indicate a slipping belt),
then a fault (henc_vs_hmtach,
fault 252) will cause the hoist to
halt operation.
47
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44309
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
5 Gear Belt The hoist motor shaft Belt breaks or otherwise Unable to turn the hoist Selsyn No effect. 3
turns another shaft by a comes off of the pulley encoder, resulting in loss of data
pulley and gear belt to the supervisory PLC. The
(above). The hoist Selsyn Supervisory PLC compares the
transmitter is then driven secondary motor encoder data to
by this gear belt. the Selsyn receiving encoder
data. If the belt driving the
Selsyn were broken, the Selsyn
output would be zero, and the
supervisory PLC would detect a
delta between the Selsyn encoder
and the secondary motor
encoder.
Slips The Selsyn would output erratic No effect. 3

data. The Supervisory PLC
performs several checks against
other measurements. If the
Selsyn encoder data is erratic,
then one or more faults would be
detected, which would cause the
supervisory PLC to halt hoist
operation.
48
SAA00029
Rev. A
Figure 13. Crane E-Stop Circuit
49
SAA00029
Rev. A
Table 4. Electrical FMEA – E-Stop Pages 50 to 51
System/Subsystem: 200-Ton RPSF Bridge Crane / 200-Ton Crane Drawing No.: Ederer F-42784 / 4
PMN: K60-0562. K60-0563 Reference: Figure 13
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
None Transformer Provides power for Fails open / short Loss of power to e-stop circuit No effect. 3
emergency stop switches resulting in loss of ability to
at console #1, #2 and initiate an e-stop if required.
remote E-Stop
receptacles. E-Stop circuit Multiple failures required.
will not work without
power. See ground rule 3.h
None E-Stop Switch When pressed, energizes Fails Open Unable to energize the shunt trip No effect. 3
(1 in each crane two coils, which trips the circuit breaker, resulting in loss of
control cab, and up main 460 volt, 3-phase ability to initiate an e-stop when
to 6 remote e-stop AC power shunt trip circuit required.
pendants). breaker on both cranes,
removing power and See ground rule 3.h
shutting down both
cranes.
Fails closed Unable to operate crane. No effect. 3
None Shunt trip circuit Removes main 460 volt, Coil fails open / Short Unable to remove power from No effect. 3
breaker 3-phase AC power from crane to halt crane operation if
crane and controls during required condition.
an emergency, setting
brakes and placing crane Multiple failures required.
in a safe state. Tripped
when e-stop is pressed. See ground rule 3.h
Breaker fails open Loss of power to crane. Unable to No effect. 3

operate crane.
50
SAA00029
Rev. A
Table 4. Electrical FMEA – E-Stop Pages 50 to 51
System/Subsystem: 200-Ton RPSF Bridge Crane / 200-Ton Crane Drawing No.: Ederer F-42784 / 4
PMN: K60-0562. K60-0563 Reference: Figure 13
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Breaker Fails closed Unable to remove power from No effect. 3

crane to halt crane operation if
required condition.
The supervisory system PLC also

monitors for an E-stop and will
remove the system permissives,
halting both hoist and bridge &
trolley operation.
Multiple failures required.
See ground rule 3.h
51
SAA00029
Rev. A
Table 5. Electrical FMEA – Main Line Controls Pages 52 to 82
System/Subsystem: 200-Ton RPSF Bridge Crane / Drawing No.: Ederer F-42784 / 6
PMN: K60-0562, K60-0563 Reference: None
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
GENERAL
PM2 Phase Monitor Monitors for loss of any No output “Enable” would not be provided to No effect. 3
(Line 510 / 634) phase of the 3-phase 460 (Contact fails open) relay CUV. Unable to power up
VAC main supply power. Mainline Control circuit. Crane
1 normally open Energizes relay CUV if all will not operate.
contact phases of power is
present.
Erroneous output Should a loss of phase occur, the No effect. 3
(Contact fails closed) Mainline Control circuit would
continue to be enabled. Loss of
phase power to bridge, trolley
and hoist motors and controllers
would also occur. Motor drives
also can detect loss of phase and
will cease operation.
CUV Relay Control Undervoltage Coil fails open Unable to power up mainline No effect. 3
(Line 634) Relay provides an control circuits for the hoist and
“enable” to the mainline bridge & trolley. Crane will not be
2 normally open control circuit for the hoist operational.
contacts and bridge & trolley
control circuits if all 3
power phases are present.
Upon loss of any phase of
the 3-phase 460 VAC
power, contacts open to
remove power from hoist
and bridge & trolley
control circuits, halting
their operation.
52
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 638) Provides an “enable” to Normally open contact Unable to power up mainline No effect. 3
turn on the hoist control Fails open control circuit for the hoist. Hoist
circuit for the hydraulic will not be operational. No effect
pump for the emergency on bridge & trolley operation.
brake and the Aux. Hoist.
Note: Aux. hoist is

currently assessed as
non-critical and is non-
operational.
Fails closed Unable to de-energize relay CCR2 No effect. 3

to disable hoist control circuit
should a loss of 1 or more phases
of power occur.
If phase “A” were lost (phase B &

C still present) the Hoist control
circuit would continue to be
operational, however, loss of
phase power to hoist drive power
module would also occur.
If phase “B” or “C” should be lost,

the hoist control circuit would de-
energize, causing loss of power to
the hoist control circuit as well as
to the hoist drive power module.
53
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 642) Provides an “enable” for Normally open contact Unable to power up the bridge & No effect. 3
relay CCR3 that allows for Fails open trolley control circuits. Bridge &
turning on the bridge & trolley will not be operational. No
trolley control circuits. effect on hoist operation.
Fails closed Unable to de-energize relay CCR3 No effect. 3

to disable the bridge & trolley
control circuits should a loss of 1
or more phases of power occur.
If phase “A” were lost (phase B &

C still present) the Bridge &
Trolley control circuit would
continue to be operational,
however, loss of phase power to
bridge & trolley motor drives and
motors would also occur.
If phase “B” or “C” should be lost,

the control circuit would de-
energize, causing loss of power to
the bridge & trolley control
circuits as well as to the motor
drives and motors.
54
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Stop Switch, manual Allows the operator a Fails open Power to the hoist and bridge & No effect. 3
pushbutton, normally manual control to trolley mainline controls would be
closed interrupt power to the removed and the crane would be
(Line 636) CCR1 relay, de-energizing shut down and placed in a safe
the circuit and removing condition. Unable to operate the
power to the crane. crane.
Essentially an “off” switch,
not intended to be used as
an emergency stop
switch.
Fails closed Unable to remove power to the No effect. 3

mainline control circuits to turn
the crane “off”. Not intended to
be used as an “E-stop” switch.
Start Switch, manual Provides an operator Fails open Unable to energize the crane No effect. 3
pushbutton, normally control to energize the circuits to allow crane operation.
open hoist and bridge & trolley
(Line 636) mainline control circuits,
applying power to the
crane.
55
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Fails closed Relay CCR1 would energize and No effect. 3
de-energize as any of the
joysticks, or float potentiometer,
are moved from the center off
position and back.
Once CCR1 is energized and the

supervisory PLC’s issue their
permissives, operation of CCR1
does not have any effect on
system operation since the relay
contacts are bypassed.
CCR1 Relay The control relay for the Coil fails open Unable to operate the hoist and No effect. 3
(Control Circuit hoist and bridge & trolley bridge & trolley.
Reset 1) mainline control circuits.
When the joysticks and
2 normally open float potentiometer are in
contacts the center off position,
and the operator pushes
the “start” button, relay
CCR1 energizes, which
provides an enable for
hoist control circuit and
bridge & trolley control
circuit.
Once the crane is turned

on, this relay has no effect
as the relay contacts are
bypassed.
56
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 638) Energizes the hoist control Contact fails open Unable to energize relays CCR2 / No effect. 3
circuit. CAC / MIX. Hoist will not be
operational.
No effect on bridge & trolley

operation.
Contact fails closed No effect. Additional series No effect. 3

contacts will open to de-energize
relay CCR2; CM1, Hoist
permissives (HCSP & HSP) from
Operator and Crane Supervisory
PLC’s will open if an out of
tolerance condition is detected.
(Line 642) Energizes the bridge & Contact fails open Unable to energize relays CCR3 / No effect. 3
trolley control circuits. CM2. Bridge and trolley will not
be operational.
No effect on hoist operation.
Contact fails closed No effect. Additional series No effect. 3

contacts will open to de-energize
relay CCR3; CM2, Bridge &
Trolley permissives (BCSP & BSP)
from Operator and Crane
Supervisory PLC’s will open if an
out of tolerance condition is
detected. Multiple failures
required.
57
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Hoist
MRT Relay, Time Delay Energized by relay MIX, Coil fails open Unable to energize Mainline No effect. 3
opening when de- MRT energizes Mainline Contact fails open Contactor CM1 to apply power to
energized Contactor relay CM1 that the system. Unable to operate
applies 3-phase power to the crane.
(Main Relay Timer) crane and hoist circuits.
(Line 664 / 648) Relay MRT has a 0.2
second time delay on de-
1 normally open energizing, slightly
contact delaying de-energizing
hoist mainline power
contactor CM1, to remove
power to the hoist power
module.
Contact fails closed Mainline contactor (CM1) would No effect. 3
not be de-energized to remove
power to the crane. However,
MRT is de-energized by relay
MIX. MIX is de-energized by the
Operators or Crane supervisory
PLC removing its permissive due
to an out of tolerance condition,
or by the hoist weighted limit
switch opening. Even if the
contact fails closed, and power is
not removed, the removal of the
permissive will halt hoist
operation.
58
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
CM1 Relay Energized by Time Delay

(Hoist Mainline Relay MRT, provides the
Contactor) following functions to
allow hoist operation:
(Line 648)
2 normally open
contacts
(Line 532) • Closes to provide 3- Contact fails open Unable to operate the main or No effect. 3
phase power to the aux. hoist.
main and aux. hoist
motor drives and No effect on Bridge & Trolley
controls only. (Not operation.
bridge & trolley)
Contact fails closed Power would not be removed No effect. 3
from the main and aux. Hoist in
event of a failure.
However, in the event of a failure,

the supervisory system would
remove the hoist permissives,
HCSP and HSP, halting hoist
operation. Multiple additional
failures would be required to have
continued or uncommanded hoist
motion.
59
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 640) • Provides an interlock to Contact fails open Unable to latch Relay CCR2. No effect. 3
relay CCR2, keeping Relay CCR2 would de-energize as
the hoist control circuit soon as the “start” switch is
energized once the released.
crane is “started”.
Unable to operate the main or
aux. hoist.
No effect on Bridge & Trolley

operation.
Contact fails closed No effect. Hoist permissives, No effect. 3

HCSP and HSP are in series and
would cause relay CCR2 to de-
energize, halting hoist operation.
Multiple failures would be

required to have continued or
uncommanded hoist motion.
CM1R Relay Provides an input to the Contact fails open Loss of indication to the Crane No effect. 3
(Line 3035) Crane Supervisory PLC, Supervisory PLC that hoist
1 normally open slot 4, (CCR2) that the mainline power is available. The
contact crane mainline contactor Crane Supervisory PLC will not
(CM1) has been enable its “permissive” (HSP) and
energized. hoist operation will be inhibited.
60
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed An erroneous indication will be No effect. 3

supplied to the Crane Supervisory
PLC that hoist mainline power is
available to the system. Other
monitoring will prevent the
system from being enabled for
operation.
HSP Relay Energized by the Crane Coil fails open Unable to operate the hoist, as No effect. 3
(Hoist Supervisory Supervisory PLC, slot 4, Contact fails open the permissive will not be
Permissive) (hoist_supervisor_ available to energize relays CCR2
permissive) if no faults are and MIX.
(Coil Line 3050) detected, to allow hoist
(Contact Line 638) operation. When
energized, provides a
1 normally open “permissive” (enable) to
contact allow the hoist mainline
control circuit to power up
(relays CCR2 and MIX). If
an error is detected by the
Crane Supervisor PLC, the
relay will be de-energized
and the “permissive”
(enable) will be removed,
causing power to the hoist
mainline control circuit to
be removed and the hoist
to halt operation.
61
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed Should an out of tolerance No effect. 3

condition be detected by the
Crane Supervisory PLC, the
contact would open to halt hoist
operation. The Operators Sup.
PLC will remove its permissive
(HCSP) as well. Should both
permissives fail to be removed,
hoist operation will be allowed to
continue. However, a previous
hoist failure would be needed to
require removal of the
permissives. Multiple failures
required. The E-stop is available
for use by the operator to halt
crane operation.
62
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HCSP Relay Energized by the Coil fails open Unable to operate the hoist, as No effect. 3
(Hoist Cab Operators Supervisory Contact fails open the permissive will not be
Supervisory PLC, slot 5 if no faults are available to energize relays CCR2
Permissive) detected to allow hoist and MIX.
operation. When
(Line 3549) energized, provides a
(Line 638) “permissive” (enable) to
allow the hoist mainline
1 normally open control circuit to power up
contact (relays CCR2 and MIX). If
Operators Supervisory
PLC, the relay will be de-
energized and the
“permissive” (enable) will
be removed, causing
power to the hoist
be removed and the hoist
to halt operation.
63
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed Should an out of tolerance No effect. 3

condition be detected by the
Operators supervisory PLC, the
contact should open to halt hoist
operation. The Crane Sup. PLC
will remove its permissive (HSP)
as well. Should both permissives
fail to be removed, hoist
operation will be allowed to
continue. However, a previous
hoist failure would be needed to
require removal of the
permissives. Multiple failures
required. The E-stop is available
for use by the operator to halt
crane operation.
CCR2 Relay Energized by relay Coil fails open Unable to start the hydraulic No effect. 3
(Hoist Control contacts CCR1, CUV and pump to release the drum brake,
Circuit) supervisory system PLC or enable the hoist control
permissives HCSP and circuits. Unable to operate the
6 normally open HSP. When energized, hoist.
contacts performs the following
functions to allow hoist
operation:
64
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 511) • Normally open contact Contact fails open Unable to release the emergency No effect. 3
closes to provide an drum brake.
“enable” to provide
power to the hoist
emergency drum brake
electrical control circuit
(along with relay
contact CAC) to supply
power to the
transformer and to
energize relay CTR
which energizes the
Brake Dump solenoid
valve, which applies
hydraulic pressure to
the drum brake,
releasing the brake.
Contact fails closed System would operate as No effect. 3
expected by series relay contact
CAC. Failure is undetectable.
To release the emergency drum

brake would also require both of
relay CTR contacts on lines 443 &
519 failing closed, and both of
relay CAC contacts on lines 443 &
519 failing closed.
Multiple failures required to

inadvertently release the
emergency drum brake.
65
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 605) • Normally open contact Contact fails open Power would not be applied to the No effect. 3
closes to provide power Aux hoist circuit. Unable to
to the Auxiliary Hoist operate the Aux hoist. However,
control circuit. Aux hoist is currently non-
operational.

from the Aux hoist control circuit.
Aux hoist is not to be used for
critical lifts. However, Aux hoist
is currently non-operational.
(Line 640) • Normally open contact Contact fails open Unable to keep coil CCR2 No effect. 3
closes to provide an energized. CCR2 would de-
interlock, along with energize as soon as the “start”
relay contact CM1, to pushbutton is released. Unable to
keep relay CCR2 operate the hoist.
energized.
Contact fails closed Failure would be undetectable. No effect. 3

Series contact CM1 would open
and close as required providing
the interlock function for the coil.
If both contacts (CCR2 and CM1)

were to fail closed, there would
be no effect as power would be
removed from the circuit by the
Hoist permissives HSCP and HSP.
66
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 649) • Energizes crane mainline Contact fails open Unable to provide input to the No effect. 3
relay CM1R, which crane supervisory PLC. SIS
provides an input to the would cause a fault when crane
Crane Supervisory PLC operation is attempted.
to indicate that mainline
power has been applied
to the crane.
Contact fails closed Relay CM1R would stay No effect. 3

energized, providing an erroneous
input to the crane supervisory
PLC. However, the crane would
not be operational.
(Line 666) • Normally open contact Contact fails open No effect as parallel relay contact No effect. 3
closes to provide power CCR3 is present and performs the
to the Joystick same function.
Potentiometer Power
Supply (PPWR).
67
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
from the Joystick power supply.
Power would remain available to
the Bridge, Trolley and Hoist
joysticks.
The Operators Supervisor PLC,

slot 1 monitors the power supply
voltage, but just for over / under-
voltage condition, not for power
being present when it should not.
Multiple additional failures would

be required to have
(Line 2510) • Normally open contact Contact fails open Unable to operate the hoist. No effect. 3
closes to energize relays
HNE and HMBC in the
Hoist Control Circuit to
enable hoist operation.
Contact fails closed No effect. Failure is undetectable. No effect. 3

Even though the contact fails
closed, no power is available until
main power contactor CM1 is
energized. Therefore, no power
to the circuit is available unless
additional failures occurred.
68
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
MIX Relay, Mainline Energized by relay
contactor Aux contacts CCR1, CUV and
supervisory system PLC
Two relay contacts permissives HCSP and
1 normally open HSP. When energized,
1 normally closed performs the following
functions to allow hoist
operation:
(Line 447) • Provides power to motor Contact fails open Loss of power to motor heaters. No effect. 3
heaters when the crane Potential damage to motors.
is off to keep moisture
from forming in the
motors. Contact opens
when crane is turned
on.
Contact fails closed Heaters would operate when No effect. 3

crane is operating. If motors get
too hot, a thermal switch will
open, turning off the motor.
(Line 663) • Normally open contact Contact fails open Unable to energize time delay No effect. 3
closes to energize time relay MRT. Therefore, relay MRT
delay relay MRT, which cannot energize relay CM1 that is
in turn, energizes hoist the main power contactor for the
mainline contactor relay hoist. Unable to operate the
CM1. hoist.
69
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed Time delay relay MRT would be No effect. 3
continuously energized, which
would keep relay CM1
continuously energized. 3-phase
power would be continuously
applied to the Aux hoist and main
hoist.
However, relay HC must also be

energized to apply power to the
Hoist Drive Power Module.
The SIS monitors the status of

CM1, but not for this purpose.
CAC Relay Starts the hydraulic pump, Coil fails open Unable to start the emergency No effect. 3
(Hydraulic Pump which supplies hydraulic drum brake hydraulic pump.
Start) pressure for releasing the Unable to release the emergency
emergency drum brake. drum brake.
(Line 638)
2 normally open
contacts
(Line 441) Makes power available to Contact fails open Unable to start the emergency No effect. 3
the emergency drum drum brake hydraulic pump.
brake hydraulic pump Unable to release the emergency
motor (also requires relay drum brake.
CTR contact closure).
70
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed No effect. Additional relay No effect. 3
contact (CTR) is required to close,
to apply power to the emergency
drum brake hydraulic pump
motor.
Even if both contacts (CAC line

441 and CTR line 443) were to fail
closed, hydraulic pump would
run, but would not cause the
emergency drum brake to
release.

brake would also require relay
CTR contact on line 519 failing
closed, as well as relays CAC and
CCR2 contacts on line 511 failing
closed to energize the brake
dump valve solenoid.
(Line 511) One of two enables (along Contact fails open Unable to energize relay CTR. No effect. 3
with CCR2) required to Unable to release the emergency
energize relay CTR that drum brake.
applies hydraulic pressure
to allow the emergency
drum brake to release.
71
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed System would operate as No effect. 3

expected by relay contact CAC.
Failure is undetectable.

brake would also require relay
CCR2 contacts on line 511 failing
closed and both of relay CTR
contacts to fail closed (line 443 &
519) to release the emergency
drum brake.
72
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Bridge & Trolley
BSP Relay Energized by the Crane Coil fails open Unable to provide the No effect. 3
(Bridge Supervisory Supervisory PLC, slot 4, if Contact fails open “permissive” (enable) to allow
Permissive) no faults are detected to relays CCR3 and CM2 to energize,
allow bridge & trolley allowing the bridge & trolley
(Line 3049) operation. When control circuits to operate.
energized, provides a Unable to operate the bridge &
1 normally open “permissive” (enable), trolley. No effect on hoist
contact along with series relay operation.
contact BCSP, to allow the
bridge & trolley mainline
control circuit to power up
(relay CCR3 & CM2). If
Crane Supervisor PLC, the
relay will be de-energized
and the “permissive”
(enable) will be removed,
causing power to the
be removed and the
bridge & trolley to halt
operation.
(Line 642) Contact fails closed No effect. No effect. 3
The Operators supervisory PLC

also provides a permissive (BCSP)
which would be removed and halt
bridge & trolley operation.
73
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BCSP Relay Energized by the Coil fails open Unable to provide the No effect. 3
(Bridge Cab Operators Supervisory Contact fails open “permissive” (enable) to allow the
Supervisory PLC, slot 5, if no faults are mainline control circuit to power
Permissive) detected to allow bridge & up. Unable to operate the crane.
trolley operation. When
(Line 3552) energized, provides a
“permissive” (enable)
1 normally open along with series relay
contact BSP, to allow the bridge &
trolley mainline control
circuit to power up (relay
CCR3 and CM2). If an
error is detected by the
PLC, the relay will be de-
energized and the
“permissive” (enable) will
be removed, causing
power to the bridge &
trolley mainline control
circuit to be removed and
the bridge & trolley to halt
operation.
(Line 642) Contact fails closed Unable to halt Bridge & Trolley No effect. 3
operation if an out of tolerance
condition occurs.
The Crane supervisory PLC also

provides a permissive (BSP)
which would be removed and halt
74
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
CCR3 Relay Energized by relay Coil fails open Unable to operate the bridge & No effect. 3
(Control Circuit contacts CCR1, CUV and trolley.
Reset 3) supervisory PLC
permissives BCSP and
(Line 642) BSP. When energized,
performs the following
4 normally open functions to allow bridge &
contacts trolley operation:
(Line 644) • Normally open contact Contact fails open Unable to keep relay CCR3 coil No effect. 3
closes to provide an energized. Unable to operate the
interlock, along with bridge & trolley.
relay contact CM2, to
keep relay CCR3 No effect on hoist operation.
energized after the
“start” switch is
released.
Contact fails closed Failure would be undetectable. No effect. 3
Series contact CM2 would open
and close as required providing
the interlock function for the coil.
If both contacts (CCR3 and CM2)
were to fail closed, there would
be no effect as power would be
removed from the circuit by the
Bridge & Trolley permissives
BSCP and BSP.
75
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 666) • Normally open contact Contact fails open No effect as parallel relay contact No effect. 3
closes to provide power CCR2 is present and performs the
to the Joystick same function.
Potentiometer Power
Supply (PPWR).

from the Joystick power supply.
Power would remain available to
the Bridge, Trolley and Hoist
joysticks.
The Operators Supervisor PLC,

slot 1 monitors the power supply
voltage, but just for over / under-
voltage condition, not for power
being present when it should not.

be required to have
76
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 1560) • Normally open contact Contact fails open Loss of indication to the Bridge & No effect. 3
closes to provide an Trolley PLC that the Bridge
input to the Bridge & mainline contactor has been
Trolley PLC, slot 6, energized. Variable MCE would
(MCE) (along with both always be false (off). The
bridge drive power software examines the variable
modules) that the B & T for an “on” condition, which would
mainline power never be satisfied. The base
contactor has been block input to the bride drives
energized and no bridge would be removed, and the
drive faults exist. Used bridge would not operate.
by the Bridge & Trolley
PLC software.
Contact fails closed Input to the B & T PLC would stay No effect. 3
high and MCE would always be
true. MCE means that B & T
mainline contactor is energized
and neither bridge drive has a
fault. However, other failures
would be required to have
inadvertent motion, and then the
SIS would detect it and remove
the permissives, halting system
operation.
77
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 2048) • Normally open contact Contact fails open Loss of indication to the Bridge & No effect. 3
closes to provide an Trolley PLC that the Trolley
indication to the Bridge mainline contactor has been
& Trolley PLC, slot 7, energized. Variable CCR3 would
(CCR3) that the Bridge always be false (off). The
& Trolley mainline software examines the variable
power contactor has for an “on” condition, which would
been energized. Used never be satisfied. Neither the
by the Bridge & Trolley bridge or trolley would operate.
PLC software.
Contact fails closed Input to the Bridge & Trolley PLC No effect. 3
would be high, and memory
variable CCR3 would be always
true. Unable to remove the base
block input to the trolley drive
power module to inhibit its
operation. However, relay CCR3
has additional relay contacts that
will remove power from the
system.
All contacts fail closed If all of relay CCR3 contacts fail No effect. 3
closed, relay CM2 also will open
and remove 3-phase power from
the system.
78
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
CM2 Relay Provides power to the Coil fails open Unable to apply power to the No effect. 3
(mainline contactor bridge & trolley motors control circuits to enable bridge &
for bridge & trolley) and control circuits to trolley operation. Bridge & trolley
allow bridge & trolley would be inoperable.
(Line 645) operation.
3 normally open
contacts
(Line 643) • Normally open contact Contact fails open Unable to latch Relay CCR3. No effect. 3
closes to provide an Relay CCR3 would de-energize as
interlock, along with soon as the “start” switch is
relay contact CCR3, to released.
keep relay CCR3
energized after the Unable to operate the Bridge &
“start” switch is Trolley.
released.
Contact fails closed No effect. Bridge & Trolley No effect. 3

permissives, BCSP and BSP are in
series and would cause relay
CCR3 to de-energize, halting

required to have continued or
uncommanded motion.
79
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 650) • Energizes crane mainline Contact fails open Unable to provide input to the No effect. 3
relay CM2R, which crane supervisory PLC. SIS
provides an input to the would cause a fault when crane
Crane Supervisory PLC operation is attempted.
to indicate that mainline
power has been applied
to the crane.
Contact fails closed Relay CM2R would stay No effect. 3

energized, providing an erroneous
input to the crane supervisory
PLC. However, the crane would
not be operational.
(Line 1005) • Normally open contact Contact fails open Unable to provide 3-phase power No effect. 3
closes to provide 3- to the bridge & trolley controls.
phase power to the Bridge & trolley would be
bridge & trolley control inoperable.
circuit, power modules
and brakes.
80
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed Power would be applied to the No effect. 3

bridge & trolley motors and
control circuits.
Should an additional failure occur,

uncommanded motion could
occur, however, the supervisory
system would detect
uncommanded motion, remove
the bridge & trolley permissives
and halt bridge & trolley
operation.
Multiple failures required to have

uncommanded bridge or trolley
motion.
CM2R Relay Normally open contact Contact fails open Loss of indication to crane No effect. 3
(Line 3037) closes to provide an supervisory PLC that bridge &
1 normally open indication to the crane trolley circuit has been energized.
contact supervisory PLC, slot 4,
that relay CM2 has been Crane supervisory PLC will
energized and power has remove its permissive if indication
been applied to the bridge is not present.
& trolley control circuits.
81
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed An erroneous indication will be No effect. 3
supplied to the Crane Supervisory
PLC that hoist mainline power is
available to the system. Other
monitoring will prevent the
system from being enabled for
operation.
PPWR Power Supply Provides 10 VDC power to No output The Operators Supervisory PLC, No effect. 3
the Bridge, Trolley slot 1, monitors the power supply
joysticks and Hoist (Hoist output voltage.
joystick and Float
potentiometer) for speed When loss of power is detected,
control. the PLC will remove all
“permissives” halting crane
operation.
The output voltage of the High / low output The Operators Supervisory PLC, No effect. 3
power supply is provided slot 1, monitors the power supply
to the Operators output voltage. Should the
Supervisor Control PLC voltage be outside the allowable
(line 3632). One second limits, high or low, the PLC will
after the input signal from remove all “permissives” halting
the mainline contactor, crane operation.
the SIS compares the
voltage to a minimum and
maximum allowed value.
If the voltage is outside
the allowed range, the SIS
will remove all
permissives, halting
system operation.
82
SAA00029
Rev. A
Table 6. FMEA – Bridge Drive & Controls Pages 83 to 154
System/Subsystem: 200-Ton RPSF Bridge Crane / Bridge Drawing No.: Ederer F-42784,
PMN: K60-0562, K60-0563 F-44503
Reference: Fig 9 & 11
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
1 Gear Reducer Couples motor to the Disengages Bridge would stop motion. No effect. 3
51H drive wheels and reduces
rotation speed
6 Coupling Connects drive Disengages Bridge would stop motion. No effect. 3

mechanism (including
brake) to bridge wheels
None Belt Connects the bridge motor Belt breaks or slips The supervisory PLC compares No effect. 3
shaft to the bridge Selsyn the bridge Selsyn encoder
transmitter, via pulleys. measurement with the bridge
motor encoder. If there is a
discrepancy between the
readings, the Supervisory PLC will
detect the fault and halt bridge
and trolley operation.
83
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
None Joystick Spring loaded, center off

(Bridge) position, provides crane
operator control of speed,
travel direction and Bridge
brake release.
The joystick incorporates

dual potentiometers and
direction contacts.
• “Deadman” safety a. Fails to return to center Joystick would not return to the No effect. Correcting action 3
feature, should the “off” position center position, and the bridge will prevent loss of life should
crane operator become b. Mechanical failure would continue motion in the the operator become
incapacitated, the c. N/A selected direction and speed. incapacitated and the
joystick would return to d. A second crane “deadman” switch on the
the center off position, operator (observer) in See ground rule 3.i joystick also fail closed.
halting crane motion crane cab is present as
and setting the brakes. a backup to primary
crane operator
e. Observer in crane cab
will press e-stop if
primary operator
becomes incapacitated.
f. > 3 seconds
g. <= 3 seconds
84
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Normally closed contact Mainline control contact Unable to operate crane. No effect. 3
when joystick is in the fails open
“center” position.
Joystick output goes to
Mainline contactor reset
circuit, line 636, which
verifies the joystick is in
the centered off position
to allow crane to “power
up”. No effect on crane
operation after that.
Mainline control contact There are 3 additional normally No effect. 3
fails closed open series contacts (Main Hoist
joystick (MH), Trolley joystick
(TROL), Float potentiometer.
(The Aux hoist joystick is also in
series, but bypassed). These
additional contacts prevent power
from being inadvertently applied
to the mainline control circuit
unless all joysticks are in the
neutral position.
85
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Bridge East travel

Direction
Dual Contacts
When the operator moves

the joystick to select east
bridge travel, two
normally open directional
contacts close as
described below:
• One contact closes to Normally open contact Loss of east travel direction input No effect. 3
directly provide a fails open to the Bridge & Trolley PLC.
discrete input to the Unable to operate bridge in east
Bridge & Trolley PLC, direction.
slot 6, line 1544, to
indicate bridge east
travel is commanded by
the operator.
86
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Normally open contact The Bridge & Trolley PLC would No effect. 3
fails closed be provided with an erroneous
east bridge direction command.
However, without a concurrent
speed input from the
potentiometer, no motion would
occur.
If a failure of the speed

potentiometer should also occur,
the supervisory PLC’s would
detect uncommanded motion and
remove the permissives (BSP &
BCSP), inhibiting bridge and
trolley operation. Should the
supervisory system also fail,
uncommanded motion would
result.
87
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• One contact energizes Normally open contact The supervisory system would not No effect. 3
relay BE which provides fails open be informed that bridge east
a discrete input to the travel has been commanded.
PLC, slot 5, on line 3540 The supervisory PLC’s would
for system monitoring detect uncommanded motion and
purposes. remove the bridge & trolley
permissives (BSP & BCSP).
Bridge & trolley operation would

be inhibited.
88
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Normally open contact When the operator moves the No effect. 3

fails closed joystick back to the center
position, relay BE would continue
to be energized, and bridge east
travel command would continue
to be provided to the Operators
Supervisory PLC.
The dual speed potentiometers

output voltage should return to
zero VDC output when the
joystick is returned to the center
position, indicating a zero speed /
stop condition.
Failure of the redundant direction

contact to the bridge & trolley
PLC, and both potentiometers
would be required for
uncommanded motion to occur.
Both direction contacts fail If both direction inputs (east and No effect. 3
closed west) are received at the same
time, the Supervisory PLC’s will
remove both permissives (BSP &
BCSP), inhibiting bridge & trolley
operation.
89
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Bridge west travel

Direction
Dual Contacts

the joystick to select west
travel, two normally open
directional contacts close
as described below:
• One contact closes to Normally open contact Loss of west travel direction input No effect. 3
provide a discrete input fails open to the Bridge & Trolley PLC.
to the Bridge & Trolley Unable to operate bridge in west
PLC, slot 6 on line 1545 direction.
to indicate bridge west
the operator.
90
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
fails closed be provided with a west bridge
direction command. However,
without a concurrent speed input
from the potentiometer, no
motion would occur.

trolley operation.
Should the supervisory system

also fail, uncommanded motion
would result.
relay BW that provides a fails open be informed that bridge west
discrete input to the travel has been commanded. The
Operators Supervisory supervisory PLC’s would detect
PLC, slot 5, on line 3540 uncommanded motion and
for system monitoring remove the bridge & trolley
purposes. permissives (BSP & BCSP).
be inhibited.
91
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

position, relay BW would continue
to be energized, and bridge west
Supervisory PLC.

stop condition.

Both direction contacts fail If both direction inputs (east and No effect. 3
closed west) are received at the same
time, the Supervisory System will
remove its permissives (BSP &
BSCP) inhibiting bridge & trolley
operation.
92
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Thumb switch allows Fails Open The thumb switch to manually N/A N/A
the operator to Fails Closed release the bridge brake has been
manually release the disconnected. The circuitry is still
bridge brake (via Relay present, in case it is decided to be
logic BT & BBC). used, but is not currently used.
Joystick is equipped with

dual speed potentiometers
as described below:
• Center tapped No output Bridge speed would be set to zero No effect. 3

potentiometer outputs a (no motion). Unable to operate
(+/-) 0-10 VDC voltage bridge.
to the Bridge & Trolley
PLC, slot 3, for
commanding bridge
motor speed.
93
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
This potentiometer High output Voltage higher than expected No effect. 3

provides the voltage would be provided to the bridge &
(speed command) to drive trolley PLC, resulting in bridge
the bridge motor. The speed greater than commanded.
bridge motor speed and
direction is provided by A redundant speed potentiometer
the secondary motor provides an equivalent voltage to
encoder, and by the the supervisory PLC for
selsyn, to the Supervisory monitoring purposes.
PLC’s. The actual speed
(as provided by the If the supervisory PLC detects
secondary motor encoder speed higher than commanded,
and Selsyn, is compared the bridge & trolley permissives
to the commanded speed (BSP & BCSP) would be removed
(provided by the and bridge & trolley operation
redundant potentiometer would be inhibited. In addition,
input to the Supervisory the SIS checks to ensure that the
PLC), and if they are not potentiometer voltage returns to
the same, a fault is zero when the joystick is returned
generated, and the to the center “off” position.
supervisory PLC removes
its permissives, and halts Also reference Ground Rule c.
94
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Low output A redundant speed potentiometer No effect. 3
provides an equivalent voltage to
the supervisory PLC for
monitoring purposes. If the
commanded speed does not
agree with the actual speed, then
a fault will cause the permissives
to be removed, and halt bridge
• Center tapped No output The Supervisory system would No effect. 3

potentiometer outputs a not be informed that bridge
(+/-) 0-10 VDC voltage motion has been commanded.
to the Operators The supervisory system would
Supervisory PLC, Slot 2, detect what it thinks is
indicating commanded uncommanded motion, remove
bridge speed for the bridge & trolley permissives
monitoring purposes. (BSP & BCSP), inhibiting bridge &
trolley operation.
95
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
High output The secondary potentiometer No effect. 3
voltage input for is used by the
supervisory PLC for detecting an
over-speed condition. This value
is used in a calculation, and an
erroneous high value would result
in an incorrect calculation. If the
actual speed does not equal the
speed expected by the SIS, a
fault will occur, halting bridge &
trolley operation.
In addition the SIS checks to

ensure the potentiometer voltage
returns to zero volts when the
“off” position.
Low output The supervisory PLC would No effect. 3

compare its monitoring input with
the actual speed. Since the
supervisory PLC is getting an
erroneous low voltage, it would
think the bridge is operating at a
speed greater than commanded
and remove the bridge & trolley
permissives (BSP & BCSP) to
inhibit bridge operation.
96
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
None Fine / Coarse Speed Selects fine (slow) or a. Fails open Unable to select fine (slow) speed No effect based on ground 3
Select switch coarse (fast) speed as (Fine speed position) for bridge travel. If the operator rule 3.c that says operator is
required by the operator. b. Mechanical failure, is changing speed from Coarse required to switch to slow
Switch is normally closed welded contacts (fast) to fine speed, neither speed speed within 10 feet of
in the Fine speed position. c. N/A input would be provided to the B structure, which will give
Provides an input to the d. Operator will have to & T PLC and SIS. adequate time to intervene if
Operators Supervisory notice that bridge a failure occurs.
PLC, Slot 5, and to the speed did not change No speed command would be
Bridge & Trolley PLC, Slot as commanded. provided to the bridge motors. Correcting action prevents
6, via relays BFS (Fine) or e. Move joystick to off No motion would occur. loss of life.
BCS (coarse). position, or press e-
stop However, should the BCS relay
f. > 3 seconds contacts not open (both contacts
g. <= 3 seconds fail closed), the system would not
know that the operator has
changed speed from coarse to
fine. Bridge would continue
operation in coarse speed.
Fails closed Unable to select coarse (fast) No effect. 3

(Fine speed position) speed for bridge travel.
Fails open Unable to select fast speed for No effect. 3

(Coarse speed position) bridge travel. Fine (slow) speed
would also not be selected. The
Operators Supervisory PLC will
detect loss of both speed range
inputs (line 3541) and remove
the bridge & trolley permissives
(BSP & BCSP), inhibiting bridge &
trolley operation.
97
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. Fails closed Unable to select fine (slow) speed No effect based on ground 3
(Coarse speed position) for bridge operation when rule 3.c that says operator is
b. Mechanical failure, required. required to switch to slow
welded contacts speed within 10 feet of
c. N/A The Bridge & Trolley PLC and the structure, which will give
d. Operator will have to Operators Sup. PLC will continue adequate time to intervene if
notice that bridge to get a coarse (fast) speed input. a failure occurs.
speed did not change Bridge will continue motion in fast
as commanded. speed. Correcting action prevents
e. Move joystick to off loss of life.
position, or press e-
stop
f. > 3 seconds
g. <= 3 seconds
BCS Relay Energized when the Coil fails open / short SIS sheet 15 checks for neither No effect. 3
(Bridge Coarse operator selects coarse Both contacts fail open speed input present. The SIS will
Speed) speed, closes two detect a “bridge_no_spd_sel_flt”,
Line 1512 normally open relay remove the permissives and halt
(2 Normally open contacts to command bridge & trolley operation.
contacts) bridge fast speed
operation.
(Line 1549) • Normally open relay Normally open contact For coarse speed operation, line No effect. 3
contact closes to provide fails open 20 (CSODN) would not be true,
a discrete input to the and coarse speed operation would
Bridge & Trolley PLC, not be available for trolley
Slot 6, that bridge operation. Trolley motion would
coarse speed has been stop.
selected by the
operator.
98
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
This contact is used for a. Normally open contact Bridge & Trolley PLC, Slot 6, No effect based on ground 3
two functions, line 20 of fails closed (TPLCDI) would be provided with rule 3.c that says operator is
the BSpeed logic, which b. Mechanical failure or an erroneous coarse (fast) speed required to switch to slow
will make CSODN (Calc welded contacts input (as well as a fine speed speed within 10 feet of
Speed Output Digital c. N/A input). This failure would be structure, which will give
Number) true if bridge d. Operator will have to undetected if everything else adequate time to intervene if
fine speed is not selected, notice that bridge works normally. The B & T a failure occurs.
neither slow limit switch is speed did not change software is written such that if
tripped, and bridge coarse as commanded. fine and coarse inputs are both Correcting action prevents
speed is selected. e. Move joystick to off provided, the fine speed will be loss of life.
CSODN, when true, allows position, or press e- provided to the bridge motors.
the speed output from the stop However, if the fine speed input
PLC to the BDPMs. f. > 3 Seconds fails open, then coarse speed
g. <= 3 Seconds would result.
Also, used in main line 14
for skew detection fault.
(Line 3541) • Normally open relay BCS Normally open Coarse speed is commanded, but
contact closes to provide a contact fails open unable to provide coarse speed
discrete input to the input to Operators Supervisory
Operators Supervisory PLC. The bridge & trolley PLC
PLC that bridge coarse would command the bridge to
speed has been selected operate in coarse speed.
by the operator. Used by
the SIS software for 3
functions.
99
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
SIS Sheet 15 SIS Sheet 15 No effect. 3
If the mainline contactor is The intent is to check the fine /
energized, checks that coarse speed select switch is OK,
both coarse and fine and associated relays (BFS &
speed inputs are not BCS). If there were a failure
present at the same time. where both fine and coarse speed
If they are, then a fault is inputs were simultaneously
generated. provided, then the failure would
(bridge_speed_sel_fault) not be detected by the SIS.
which will halt bridge &
trolley operation. The bridge & trolley PLC, with
both inputs applied, would
operate in slow speed.
Also checks for neither SIS sheet 15 checks for neither No effect. 3
input being provided. Fine speed input present. The SIS will
or coarse speed should be detect a “bridge_no_spd_sel_flt”,
provided, depending on remove the permissives and halt
the position of the fine / bridge & trolley operation.
coarse speed select
switch.
100
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
SIS Sheet 23 SIS sheet 23 No effect. 3
The Bridge & Trolley The Supervisory PLC would not
software uses a “select” get the input telling it coarse
function to determine speed had been selected. The
which scaling factor to use SIS software would not select the
to multiply the secondary proper scaling factor for
joystick potentiometer calculating “bridge_cmd_rpm” for
input by. This value then coarse speed.
becomes the
“bridge_cmd_rpm”, which The SIS software function selects
is used on sheet 24, Motor fine speed if coarse speed is not
response vs. command, to selected. Speed greater than
determine if the actual commanded will not occur.
bridge speed is equal to
the commanded speed.

The SIS software Should a delta exist between the
subtracts the bridge bridge encoder freq and the
(motor) encoder bridge disp freq, then the bridge
frequency coarse display fault would not
(“bridge_enc_freq”) from trip.
the bridge display
(Selsyn) frequency Even though this function would
(“bridge_disp_freq”) not execute, the function on
value. If the delta sheet 23 (above) would detect a
between the two values is delta between commanded speed
greater than allowed, then and actual bridge motor speed,
a fault will be generated and remove the Bridge & trolley
based on which speed is permissives.
selected (coarse or fine).
101
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BCS Normally open Sheet 15 No effect. 3

contact fails closed Operators Supervisory PLC would
be provided with an erroneous
input that Coarse (fast) speed has
been selected by the operator.
Every time fine speed is selected,

the Operators Supervisory PLC
would be provided with both
speed range inputs (fine &
coarse), which would cause a
fault (bridge_speed_sel_fault) to
occur. The SIS would remove
both bridge & trolley permissives,
inhibiting bridge and trolley
operation.
Sheet 23 No effect. 3
This function calculates the
bridge_cmd_rpm value which is
used in the motor response vs
cmd function on sheet 24. The
software is written such that if the
coarse speed relay fails closed,
fine speed will take precedence.
A fault will be tripped since the
actual speed will not equal the
commanded speed.
102
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
The SIS software checks for a
delta between the secondary
encoder and selsysn. If a delta
exits, the coarse relay failing
closed would generate an
erroneous bridge coarse display
fault as well as the fine display
fault.
a. Both BCS relay Both fine speed and coarse speed No effect based on ground 3
contacts fail closed inputs would be provided to the rule 3.c that says operator is
b. Mechanical failure, Bridge & Trolley PLC and the required to switch to slow
welded contacts Operators Supervisory PLC. speed within 10 feet of
c. N/A structure, which will give
d. Operator / observer With both speed inputs provided adequate time to intervene if
could detect bridge to the Operators Supervisory PLC, a failure occurs.
speed is not as a fault (bridge_speed_sel_fault)
expected. would occur (SIS sheet 15). The Correcting action prevents
e. Return joystick to SIS would remove both bridge & loss of life.
center off position or trolley permissives, inhibiting
press e-stop. bridge and trolley operation.
f. > 3 seconds
g. <= 3 seconds However, a concurrent failure of
relay BFS to energize, or both
BFS relay contacts fail open,
bridge speed greater than desired
would occur.
103
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BFS Relay Energized when the a. Coil fails open / short Unable to provide a fine speed No effect based on ground 3
(Bridge Fine Speed) operator selects fine (both contacts fail input to the bridge & trolley PLC rule 3.c that says operator is
Line 1512 (slow) speed, closes two open) and the Supervisory PLC. Bridge required to switch to slow
normally open relay b. Electrical failure, & Trolley PLC would be unable to speed within 10 feet of
2 Normally open contacts to initiate bridge physical failure of coil command fine (slow) speed for structure, which will give
contacts slow speed operation. or leads/connection bridge travel. Bridge would not adequate time to intervene if
points operate. a failure occurs.
c. N/A
d. Operator / observer However, a concurrent failure of Correcting action prevents
could detect bridge relay BCS, where both relay loss of life.
speed is not as contacts fail closed, the Bridge &
expected. Trolley PLC, Bspeed software line
e. Return joystick to 20, would command the bridge
center off position or motor to operate in coarse speed.
press e-stop.
f. > 3 seconds Since the supervisory PLC would
g. <= 3 seconds only have coarse speed inputs (no
fine speed inputs), undetected
speed faster than commanded
would occur.
104
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 1556) • Normally open relay BFS relay normally open Input to the B & T PLC would be No effect. 3
contact closes to provide contact fails open an “off” condition. Unable to
a discrete input to the execute the Fine (slow) speed
Bridge & Trolley PLC, calculation (BFSCC) for bridge
slot 6 (TPLCDI), that operation (line 14). Bridge would
bridge Fine speed has not operate.
been selected by the
operator. A concurrent failure of relay BCS
contact to the bridge & trolley PLC
Used by two lines of failing closed would result in
code in the Bridge & CSODN being true (line 20), and
Trolley software. a coarse speed command being
Examined for an “on” issued to the bridge drive power
condition (line 14) to modules. Bridge speed would be
perform the bridge fine faster than commanded.
speed calculation
(BFSCC). However, the Operators
Supervisory PLC would also be
Examined for an “off” provided with an indication that
condition (line 20) in fine speed is selected, by the
addition to an “on” second BFS relay contact. The
condition for coarse Operators Supervisory PLC would
speed command compare the secondary motor
(CSODN). encoder output with the
calculated speed that the speed is
greater than commanded, and
halt bridge and trolley operation.

undetected speed greater than
commanded.
105
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BFS relay normally open The Bridge & Trolley PLC would No effect. 3
contact fails closed continuously be provided with a
Fine (slow) speed input. (The
Operators Supervisory PLC is also
provided with a separate relay
contact closure, which would be
open).
With both speed inputs provided

to the B & T PLC, the bridge
motors would operate in fine
speed.
When coarse speed is

commanded, the supervisory PLC
would be expecting coarse speed
operation, when the bridge
motors would be operating in fine
speed. The supervisory PLC will
detect a delta between
commanded speed and actual
speed, remove the permissives,
and halt B & T operation.
A failure resulting in speed slower

than commanded is not a critical
failure.
106
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 3541) • Normally open relay BFS relay normally open Effects assessed below.
contact closes to provide contact fails open
a discrete input to the
PLC that Bridge fine
speed has been selected
by the operator.
Used by the SIS for 3

software functions.

If the mainline contactor is If there were a failure where both
energized, checks that fine and coarse speed inputs were
both coarse speed and simultaneously provided, then the
fine speed inputs are not failure would not be detected by
present at the same time. the SIS.
If they are, then a fault is
generated. The bridge & trolley PLC, with
(bridge_speed_sel_fault) both inputs applied, would
which will halt bridge & operate in slow speed. The SIS
trolley operation. would think coarse speed is
commanded. The SIS would
107
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Also checks for neither No effect. Would also require No effect. 3

input being provided. coarse speed to not be present
Either fine or coarse speed also.
should be provided,
depending on the position
of the fine / coarse speed
select switch.

software uses a “select” get the input telling it fine speed
function to determine had been selected. The SIS
which scaling factor to use software function selects fine
to multiply the secondary speed if coarse speed is not
joystick potentiometer selected.
input by. This value then
becomes the If a concurrent failure of the
“bridge_cmd_rpm”, which coarse speed input failing high
is used on sheet 24, Motor would be detected by the
response vs. command, to software on sheet 15, and cause
determine if the actual a “bridge_speed_sel_fault” to
bridge speed is equal to occur, and the SIS would remove
the commanded speed. the bridge & trolley permissives,
halting operation.
108
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
subtracts the bridge bridge encoder freq and the
(motor) encoder bridge disp freq, then the bridge
(“bridge_enc_freq”) from trip.
the bridge display
(Selsyn) frequency Even though this function would
(“bridge_disp_freq”) not execute, the function on
greater than allowed, then and actual bridge motor speed,
based on which speed is permissives, halting operation.
BFS Normally open Sheet 15 No effect. 3

input that Fine (slow) speed has
Every time coarse speed is

selected, the Operators
Supervisory PLC would be
provided with both speed range
inputs (fine & coarse), which
would cause a fault
(bridge_speed_sel_fault) to
operation.
109
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
bridge_cmd_rpm value which is
cmd function on sheet 24. Fine
speed will be calculated.
exits, the fine speed relay failing
erroneous bridge fine display fault
as well as the coarse display fault.
Both BFS relay contacts Both fine speed and coarse speed No effect. 3
fail closed inputs would be provided to the
Bridge & Trolley PLC and the
Operators Supervisory PLC.

to the Operators Supervisory PLC,
a fault (bridge_speed_sel_fault)
would occur (SIS sheet 15). The
SIS would remove both bridge &
trolley permissives, inhibiting
bridge and trolley operation.
110
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BE Relay Energized when the Coil fails open / short Loss of east direction input to
(Bridge East) operator moves the Contact fails open Operator Supervisory PLC. The
Line 1515 joystick to the right, one input to the Sup. PLC is for fault
1 normally open normally open relay detection only, and does not
contact contact closes to provide provide a direction command to
(Line 3540) an indication to the the bridge motor. That is done
supervisory system that by the bridge & trolley PLC.
bridge motion in the east
direction has been Itemized failure effects are below.
commanded by the
operator.
The SIS software uses this

input for the following
functions:
• Pre-startup check to (SIS sheet 13) No effect. 3
ensure bridge joystick This assumes the joystick is in the
east direction is not being center “off” position, and only the
commanded at startup direction contact has failed
(SIS sheet 13) closed. The SIS would not detect
a failure of the bridge joystick
east direction contacts failing
closed since the input to the SIS
is not present. Even thought a
direction command is present,
since the joystick is in the center
position, there would be no speed
output from the potentiometers
for motion to occur.
111
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
This would assume the joystick No effect. 3

has failed in an “off center”
position. If the joystick is not in
the center off position, the enable
to the mainline circuit would not
be present, and power would not
be applied to the system.
Therefore no motion would occur.
• Checks that both The SIS would not be provided No effect. 3

directions (bridge east and the east direction input. Should
west) are not both bridge joystick direction
simultaneously contacts fail closed, then both
commanded at anytime direction commands would be
during system operation applied to the bridge & trolley
(SIS sheet 16) PLC. Bridge & Trolley software,
checks that, if a east command is
present that the west command is
not present. No motion would
occur.
112
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Checks for a bridge Potentially, if the bridge joystick No effect. 3

joystick potentiometer east contact has failed closed, but
output if neither direction the input to the PLC has failed
input present (SIS sheet open, and a potentiometer
16) voltage is present, it would not be
detected. Requires failure of the
bridge joystick (erroneous east
direction command) and a failure
of the potentiometer.
• Used to update the Sets an initial minimum speed No effect. 3

bridge_cmd_rpm value value for Bridge_cmd_rpm. If the
(SIS sheet 23) BE relay contact fails open, the
initial value would not be correctly
set, however, the value would be
update quickly to the correct
value.
113
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Checking for motor The SIS would not detect speed No effect. 3
response vs. commanded greater than commanded or
speed (SIS sheet 24) motion in the wrong direction.
This function checks for However, additional SIS

speed greater than monitoring checks that with
commanded, travel in the neither direction input present,
wrong direction, and with and speed <> 0, will trigger a
neither direction input, fault.
speed input should be 0.
(uncommanded motion) So, when bridge east direction is
commanded, and the relay
contact fails open, a fault would
be triggered, the permissives
would be removed, halting bridge

commanded, travel in the wrong
direction, or uncommanded
motion. (failure causing speed or
direction error, SIS fails to detect
fault, or both permissive relays
fail closed.)
• Checks that the brake is When the bridge east direction is No effect. 3
set if no direction commanded, the bridge east
command is present (SIS direction contact would be open,
sheet 25) and the bridge_brake_fault (320)
would be tripped, since the brake
would be released with no
direction commanded provided.
114
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed (SIS sheet 13) No effect. 3

If the bridge east relay contact
fails closed, the pre-start check
would detect the failure. The SIS
would remove the permissives,
inhibiting bridge & trolley
operation.
(SIS sheet 16) No effect. 3

When a bridge west command is
issued, both direction inputs to
the SIS would be present. The
SIS would detect a fault and
remove the bridge & trolley
permissives, halting operation.

If a bridge east command is
issued, there would be no effect
on the logic. If a bridge west
command were issued, no effect
on this software function as the
logic on sheet 16 would cause a
fault as both direction inputs
would be provided.
115
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

If a bridge east command is
on the logic. If a bridge west
would be provided.

The SIS would be provided with a
constant bridge east direction
indication. Should the bridge
brakes not set, the fault would
never trip, since a direction input
is always present. When a west
command is issued, both direction
inputs will be present, and the
logic on sheet 16 will detect the
fault, remove the permissives and
halt bridge & trolley operation.
116
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BW Relay Energized when the Coil fails open / short Loss of west direction input to
(Bridge West) operator moves the Contact fails open Operator Supervisory PLC. The
Line 1517 joystick to the left, one input to the Sup. PLC is for fault
1 normally open normally open relay detection only, and does not
contact contact closes to provide provide a direction command to
(Line 3540) an indication to the the bridge motor. That is done
supervisory system that by the bridge & trolley PLC.
bridge motion in the west
commanded by the
operator.

functions:
• Pre-startup check to This assumes the joystick is in the No effect. 3

ensure bridge joystick center “off” position, and only the
west direction is not being direction contact has failed
commanded at startup closed. The SIS would not detect
(SIS sheet 13) a failure of the bridge joystick
west direction contacts failing
is not present. Even thought a
117
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

directions (bridge east and the west direction input. Should
west) are not both bridge joystick direction
checks that, if a west command is
present that the east command is
not present. No motion would
occur.
• Checks for a bridge Potentially, if the bridge joystick No effect. 3

joystick potentiometer west contact has failed closed,
output if neither direction but the input to the PLC has failed
input present (SIS sheet open, and a potentiometer
16) voltage is present, it would not be
bridge joystick (erroneous west
118
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

bridge_cmd_rpm value value for Bridge_cmd_rpm. If the
(SIS sheet 23) BW relay contact fails open, the
value.
119
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

(uncommanded motion) So, when bridge west direction is

fail closed.)
120
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Checks that the brake is When the bridge west direction is No effect. 3
set if no direction commanded, the bridge west
sheet 25) and the bridge_brake_fault (320)

If the bridge west relay contact
operation.

When a bridge east command is
121
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

If a bridge west command is
on the logic. If a bridge east
would be provided.

If a bridge west command is
on the logic. If a bridge east
would be provided.
122
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
constant bridge west direction
indication. Should the bridge
is always present. When an east
None Thumb Button Normally open manual Fails open Thumb button circuit is currently N/A N/A
push button, when disconnected and not used.
pressed, energizes relay
BT to allow the operator
to manually release the
bridge brakes.
Fails closed The bridge brakes have been N/A N/A

assessed as non-critical, so failure
to manually release the brakes is
not analyzed. See ground rule
3.g.
123
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BT Relay When the operator Coil fails open / short Bridge brakes have been N/A N/A
(Bridge Brake presses the thumb button assessed as non-critical and are
Release) on the Bridge joystick, not analyzed. See ground rule
Line 1518 relay BT is energized, 3.g.
(3 normally open which releases the bridge
contacts) brakes.
(Line 1510) • Normally open relay Relay contact fails open Bridge brakes have been N/A N/A
contact, when closed, assessed as non-critical and are
energizes relay BBC not analyzed. See ground rule
(Bridge Brake 3.g.
Contactor) which
actually releases the
brakes.
Normally open contact Bridge brakes have been N/A N/A
fails closed assessed as non-critical and are
3.g.
provides discrete input not analyzed. See ground rule
to Bridge & Trolley PLC, 3.g.
slot 5, that the brakes
have been commanded
to release.
Relay contact fails closed Bridge brakes have been N/A N/A
assessed as non-critical and are
3.g.
124
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
provides discrete input not analyzed. See ground rule
to Operators 3.g.
supervisory PLC, slot 5,
that the brakes have
been commanded to
release.
Relay contact fails closed Bridge brakes have been N/A N/A
assessed as non-critical and are
3.g.
125
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BB1R Relay Energized by the Bridge Coil fails open / short Bridge brakes have been N/A N/A
(Bridge Brake 1 Drive 1 Power Module assessed as non-critical and are
Relay) (BD1PM) Line 1635, not analyzed. See ground rule
Line 1635 closes 2 normally open 3.g.
(2 normally open relay contacts.
contacts)
BB1R is in series with
BB2R. When both relay
contacts close, relay BBC
is energized, which
releases both bridge
brakes.
(Line 1509) Provides 1 of 2 enables Normally open contact Bridge brakes have been N/A N/A
(along with BB2R) to fails open assessed as non-critical and are
energize Bridge Brake not analyzed. See ground rule
Contactor relay BBC to 3.g.
release the bridge brakes.

3.g.
126
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(along with BBC and fails open assessed as non-critical and are
BB2R) to provide a not analyzed. See ground rule
discrete input to the 3.g.
bridge & trolley PLC, slot
6, indicating the bridge
brakes have been
commanded to release.
3.g.
BB2R Relay Energized by the Bridge Coil fails open / short Bridge brakes have been N/A N/A
(Bridge Brake 2 Drive Power Module 2 assessed as non-critical and are
Relay) (BD2PM) Line 1665, not analyzed. See ground rule
Line 1665 closes 2 normally open 3.g.
(2 normally open relay contacts.
contacts)
BB2R is in series with
BB1R. When both relay
contacts close, relay BBC
is energized, which
releases both bridge
brakes.
(with BB2R) to energize fails open assessed as non-critical and are
Bridge Brake Contactor not analyzed. See ground rule
relay BBC to release the 3.g.
bridge brakes.
127
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

3.g.
(with BBC and BB1R) to fails open assessed as non-critical and are
provide a discrete input to not analyzed. See ground rule
the bridge & trolley PLC, 3.g.
slot 6, indicating the
bridge brakes have been
commanded released.
3.g.
BBC Relay Energized by either relay Coil fails open / short Bridge brakes have been N/A N/A
(Bridge Brake contact BT, or relay assessed as non-critical and are
Contactor) contacts BB1R and BB2R. not analyzed. See ground rule
Line 1509 When energized, closes 3.g.
(3 normally open relay contacts to release
contacts) both Bridge brakes
simultaneously, provides
discrete inputs to the
Bridge PLC (BPLCDI) line
1547 and to the Crane
Supervisory PLC (line
3034).
128
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 1066) • Two normally open Normally open contacts Bridge brakes have been N/A N/A
ganged relay contacts fail open assessed as non-critical and are
close to provide 460 not analyzed. See ground rule
VAC to both bridge 3.g.
brakes to release them.
Normally open contacts Bridge brakes have been N/A N/A

fail closed assessed as non-critical and are
3.g.
(Line 1547) • Provides 1 of 3 enables Normally open contact Bridge brakes have been N/A N/A
(with BB1R and BB2R) fails open assessed as non-critical and are
to provide a discrete not analyzed. See ground rule
input to the bridge & 3.g.
trolley PLC, slot 6,
indicating the bridge
brakes have been
commanded released.
3.g.
129
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 1733) • One normally open relay Normally open contact Bridge brakes have been N/A N/A
contact closes to fails open assessed as non-critical and are
energize relay BBR, not analyzed. See ground rule
which provides an input 3.g.
to the Crane
Supervisory PLC that the
bridge brakes have been
3.g.
BBR Relay • One normally open relay Normally open contact Bridge brakes have been N/A N/A
Line 1733 contact closes to provide fails open assessed as non-critical and are
1 normally open a discrete input to the not analyzed. See ground rule
contact Crane Supervisory PLC 3.g.
(Line 3033) that the bridge brakes
have been commanded
to release.
3.g.
130
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
East-Slow Limit Switch Provides an input to the Fails open The bridge & trolley PLC will be No effect. 3
Line 1550 Bridge & Trolley PLC. provided with an indication that
When the limit switch is the east slow limit switch has
opened (tripped), the been tripped. Bridge will be
Bridge & Trolley PLC unable to operate in coarse speed
software will automatically in the east direction. Bridge will
switch the bridge to Fine operate in fine (slow) speed mode
(slow) speed mode when only, while moving in east
moving in the east direction.
direction.
Limit switch does not a. Fails closed Electrical Control system will not Operator intervention 3
provide an input to the b. Mechanical failure automatically switch speed to prevents loss of life with a
SIS. c. N/A slow. Bridge will continue east concurrent failure of joystick
d. Operator must travel in coarse (fast) speed (if or e-stop circuit.
recognize that bridge selected).
has entered a slow
speed zone, and is still Operator is trained to reduce
in coarse speed, and speed as the bridge approaches
either return joystick to limits switches. The limit switch
center off position or is to ensure that speed is reduced
press e-stop to halt if the operator does not reduce
crane operation. speed as required.
e. Operator will return
joystick to center off Operator error required.
position, press e-stop.
f. > 3 seconds
g. <= 3 seconds
131
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
West-Slow Limit Switch Provides an input to the Fails open The bridge & trolley PLC will be No effect. 3
When the limit switch is the west slow limit switch has
opened (tripped), the been tripped. Bridge will be
software will automatically in the west direction. Bridge will
switch the Bridge to Fine operate in fine (slow) speed mode
(slow) speed mode when only, while moving in west
moving in the west direction.
direction.
SIS. c. N/A slow. Bridge will continue west concurrent failure of joystick
recognize that bridge selected).
has entered a slow
in coarse speed, and speed as the bridge approaches
f. > 3 seconds
g. <= 3 seconds
132
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
East-Stop Limit Switch Allows or inhibits an east Fails open Input to the bridge and trolley No effect. 3
Line 1552 direction command to the PLC will not be available. The
bridge drive power Bridge & Trolley PLC would not
modules. When closed, turn on the east direction output
allows an east direction to the Bridge Drive Power
command to the bridge Modules. The Bridge Drive Power
drive power modules, and Modules are inhibited from
when tripped, removes operating with input missing.
the direction command Bridge east travel will be
from the bridge drive inhibited. West travel is
power modules, halting unaffected.
bridge motion. The bridge
can be operated in the
west direction to
“backout”. Used on one
line only (line 20) of the B
& T software.
The limit switch does not

provide an input to the
SIS.
a. Fails closed Bridge will continue past Should a concurrent failure of 3
b. Mechanical failure maximum allowed east travel. the bridge joystick or bridge
c. N/A Hard stops will stop bridge, or & trolley PLC occur,
d. Operator must operator can hit e-stop to halt correcting action will halt
recognize that bridge operation. bridge motion if limit switch is
has gone past the tripped and motion continues,
maximum travel limit, Bridge operation is not allowed preventing possible loss of life
and is still moving. past this stop limit, and would or damage to flight hardware.
e. Press e-stop require operator error.
f. > 3 seconds
g. <= 3 seconds
133
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
West-Stop Limit Switch Allows or inhibits a west Fails open Input to the bridge and trolley No effect. 3
bridge drive power Bridge & Trolley PLC would not
modules. When closed, turn on the west direction output
allows a west direction to the Bridge Drive Power
command to the bridge Modules. The Bridge Drive Power
drive power modules, and Modules are inhibited from
when tripped, removes operating with input missing.
the direction command Bridge west travel will be
from the bridge drive inhibited. East travel is
power modules, halting unaffected.
bridge motion. The bridge
east direction to
line only (line 22) of the B
& T software.

SIS.
a. Fails closed Bridge will continue past Should a concurrent failure of 3
b. Mechanical failure maximum allowed west travel. the bridge joystick or bridge
c. N/A Hard stops will stop bridge, or & trolley PLC occur,
recognize that bridge operation. bridge motion if limit switch is
maximum travel limit, Bridge operation is not allowed preventing possible loss of life
and is still moving. past this point, and would require or damage to flight hardware.
e. Press e-stop operator error.
f. > 3 seconds
g. <= 3 seconds
134
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
B1GS Relay The relay provides an Coil fails open / short The laser skew alignment system N/A N/A
B2GS (Bridge motor speed input to the Bridge & Contact fails open has been assessed as non-critical,
greater than speed Trolley PLC, Slot 5, for use Contact fails closed and thus is not analyzed.
set point) by the laser skew
alignment system
One relay for each software in the bridge &
bridge drive power trolley PLC.
module.
BD1PM Bridge Drive Power Accepts operator a. Drives Bridge motor in The Op. Sup. PLC receives an No effect. 3
BD2PM Module commands from the wrong direction input from relay BE or BW
(1 for each bridge Bridge Joystick (via the b. Internal failure of indicating commanded direction.
motor) Bridge & Trolley PLC) for electrical device The secondary joystick
speed and direction, c. N/A potentiometer output is used,
releases the Bridge brakes d. SIS is programmed to along with the coarse / fine switch
(via relay logic) and drives detect this failure input to calculate a bridge motor
the bridge motor in the e. SIS would remove rpm value. This value is then
commanded speed and both bridge & trolley compared to the bridge
direction. permissives, halting secondary motor encoder output.
bridge & trolley The SIS will detect if motor
operation direction is not as commanded,
f. Seconds and will remove both bridge &
g. Immediate trolley permissives, halting bridge
& trolley operation.
Potential for loss of life due to

travel in the wrong direction with
a concurrent failure of the
Supervisory system. SIS system
has redundant, safety certified
PLC’s.
135
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Drives bridge motor at The Op. Sup. PLC receives a No effect. 3

speed greater than voltage from a second joystick
commanded potentiometer, indicating the
commanded speed. The bridge
secondary motor encoder output
(actual speed) and a calculated
value based on the second
potentiometer value will be
compared. If they are not equal,
the SIS will remove both bridge &
trolley permissives, halting bridge
The SIS checks that the

potentiometer voltage returns to
zero volts when the joystick is
returned to the center “off”
position. Also, reference ground
rule c.
Drives bridge motor at Bridge would operate slower than No effect. 3

speed less than required. A failure resulting in
commanded motion slower than commanded
is assessed as a non-critical
failure.
136
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. Inadvertent output The bridge motor secondary No effect. 3
causing motor motor encoder provides motor
operation in either operation monitoring to the Crane
direction Supervisory PLC, Slot 2. In
b. Internal electrical addition, the Bridge Selsyn also
failure provides motor speed and
c. N/A direction input to the Operator
d. The SIS PLC is Supervisory PLC, Slot 2. The
programmed to detect supervisory PLCs would detect
uncommanded motion uncommanded motion and inhibit
e. Supervisory PLC will bridge & trolley operation. The
remove both bridge & secondary motor encoder input is
trolley permissives, compared with the joystick
halting bridge & trolley secondary potentiometer value.
operation. If they do not agree, the SIS
f. Seconds software will remove the bridge &
g. Immediate trolley permissives, halting bridge
Potential for loss of life with

concurrent failure of SIS system.
The SIS system has redundant,
safety certified PLC’s.
137
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. Internal failure The primary motor encoder No effect. 3

resulting in loss of or provides motor speed and
corrupted bridge motor direction information to the
(primary) encoder data BD1PM / BD2PM for feedback
b. Internal electronics control. Should the encoder
circuit failure information be corrupted, the
c. N/A BD1 / BD2PM could provide
d. The SIS PLC is erroneous control of the motor,
programmed to detect causing incorrect direction or
uncommanded motion speed operation. The bridge
e. Supervisory PLC will secondary motor encoder
remove both bridge & provides motor speed and
trolley permissives, direction information to the Sup.
halting bridge & trolley PLC, as well as a Selsyn. If the
operation. motor speed and direction is not
f. Seconds as commanded, the Sup. PLC will
g. Immediate remove both bridge & trolley
permissives, and halt bridge and
trolley operation.

speed faster than commanded or
motion in an uncommanded
direction with a concurrent failure
of the SIS system. The SIS has
redundant, safety certified PLC’s.
138
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Fails to issue Brake The brake has been assessed as N/A N/A
release command non-critical, so inadvertent
release would have no critical
effect on the system. See ground
rule 3.g.
Erroneous brake release The brake has been assessed as N/A N/A
command issued non-critical, so inadvertent
rule 3.g.
Bridge motor with 2 encoders

None Bridge Motor with Drives the north end of Motor has no output The north motor would not No effect. 3
two Encoders the bridge in the operate. The supervisory PLC
(North Motor) commanded speed and would detect loss of speed and
direction as provided by direction data, remove its
the Bridge Drive 1 Power permissives and halt bridge &
Module to move the trolley operation.
Bridge in an East / West
direction. Should the supervisory system
fail to halt bridge operation, since
both motors are required to move
the bridge, it would skew and
bind the wheels against the rail
and not move.
139
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Motor has low output Both bridge motors are required No effect. 3
to move the bridge. The bridge
would skew, binding the wheels
against the rail, and the bridge
would not move. The laser skew
alignment system will slow the
opposite motor down to try and
maintain uniform motion.
Primary Motor Encoder No output Motor would not operate. Bridge No effect. 3
– provides two channels of would skew. Skewing has been
motor speed and direction assessed as non-critical.
information to the Bridge
Drive 1 Power Module
(BD1PM) for feedback
control. Outputs 1024
cycles / motor revolution.
Erroneous output high The BD1PM would think the No effect. 3

motor is operating too fast and
slow it down. Both bridge motors
are required to move the bridge.
The bridge would skew, binding
the wheels against the rail, and
the bridge would not move. The
laser skew alignment system will
slow the opposite motor down to
try and maintain uniform motion.
140
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous output low Would cause BD1PM to operate No effect. 3

the motor at a speed faster than
commanded. Secondary motor
encoder provides motor speed
and direction data to the
supervisory system for
monitoring. The supervisory PLC
compares the redundant speed
potentiometer output to the
actual speed, and if they do not
agree, removes the permissives,
halting bridge & trolley operation.
Secondary Motor No output The supervisory PLC would detect No effect. 3

Encoder – provides two loss of speed and direction data,
channels of motor speed remove its permissives and halt
and direction information bridge & trolley operation.
to the Bridge Encoder
Amplifier (PBEA) for error Should the supervisory system
checking monitoring by fail to halt bridge operation, since
the Crane Supervisor PLC both motors are required to move
(Slot 2). Outputs 1024 the bridge, it would skew and
cycles / motor revolution. bind the wheels against the rail
and not move.
141
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous output The secondary motor encoder, No effect. 3

bridge Selsyn, and bridge joystick
secondary potentiometer provides
inputs to the SIS supervisory PLC.
Multiple SIS software functions
would cause a fault, which would
result in both bridge & trolley
permissives to be removed,
None Bridge Motor with Drives the south end of Motor has no output The south motor would not No effect. 3
one encoder output the bridge in the operate. The supervisory PLC
(South Motor) commanded speed and would detect loss of speed and
direction as provided by direction data, remove its
the Bridge Drive 2 Power permissives and halt bridge &
Module to move the trolley operation.
Bridge in an East / West
direction. Should the supervisory system
fail to halt bridge operation, since
and not move.
142
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Motor has low output Bridge would move at a speed No effect. 3
slower than commanded or not at
all. If bridge motor moves slower
than commanded, the laser skew
system would attempt to keep
bridge aligned by slowing the
other motor down to the same
speed. If laser skew system were
to fail, the bridge would skew and
bind. Skewing of the bridge has
been determined to be non-
critical.
Motor Encoder – No output The supervisory PLC would detect No effect. 3

provides two channels of loss of speed and direction data,
motor speed and direction remove its permissives and halt
data to the Bridge Drive 2 bridge & trolley operation.
Power Module (BD2PM)
for feed back control of Should the supervisory system
motor speed. fail to halt bridge operation, since
and not move.
143
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous output Could cause motor to operate at a No effect. 3
speed faster than commanded.
Selsyn provides shaft rotation
speed and direction data to the
Supervisory PLC for monitoring,
as well as the secondary encoder
providing speed and direction
data for the north motor. If the
supervisory PLC detects motor
speed greater than commanded,
it will remove its permissives and
The bridge requires two motors to

drive the bridge. Both motors, or
associated monitoring, would
have to fail as well as the
supervisory PLC. Multiple failures
required to have bridge operate
at a speed greater than
commanded.
PBEA “PES” Bridge Accepts two channels of No output Loss of encoder data to Crane No effect. 3
Encoder Amplifier data from the bridge Sup. PLC. Supervisory PLC &
secondary motor encoder, software would detect loss of data
indicating motor speed and halt bridge & trolley
and direction, for operation. Multiple software
monitoring by the Crane functions would cause a fault,
Supervisory PLC (Slot 2). which would result in both bridge
& trolley permissives to be
removed, halting bridge & trolley
operation.
144
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous output The Supervisory PLC would be No effect. 3

provided with erroneous bridge
motor encoder data. The SIS
performs several software checks
to ensure correct system
operation. Since the data is
erroneous, the SIS supervisory
PLC would detect a delta between
the monitored inputs. The SIS
software functions would cause a
fault, which would result in both
bridge & trolley permissives being
operation.
Accepts two channels of No output Loss of encoder data to Crane No effect. 3

data from the bridge Sup. PLC. Supervisory PLC &
monitoring by the Crane functions would cause a fault,
operation.
145
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BST Selsyn Transmitter Converts bridge drive No output Loss of Selsyn data to the Op. No effect. 3
(Bridge) shaft speed and direction Sup. PLC should generate a fault
to an electrical signal that causing the SIS to remove the
is sent to the bridge bridge & trolley permissives,
Selsyn receiver in the halting bridge & trolley operation.
crane operators cab to The supervisory PLC also
measure bridge drive compares the secondary motor
shaft distance traveled encoder to the joystick secondary
and direction for display potentiometer output to detect for
on the distance display speed greater than commanded,
and is provided to the operation in the wrong direction,
Operators Supervisory or motion without being
PLC for monitoring commanded.
purposes.
Multiple failures required for
Used by the SIS for 1 undetected failure resulting in
function only. Compares speed or direction failure or
the secondary motor undetected uncommanded
encoder to the Selsyn motion.
value, and if the difference
between the two values is
> 0, causes a fault to
occur (based on coarse /
fines speed select switch
position).
146
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous output (high or The SIS software compares No effect. 3

low) bridge secondary motor encoder
data to the Selsyn data. If they
are not equal, the software
generates an error signal and
halts bridge & trolley operation.
However, should the secondary
motor encoder have a concurrent
failure, speed greater than
commanded or operation in a
direction other than commanded
could occur. However, the bridge
joystick secondary potentiometer
also provides an input to the SIS
for error checking.

travel in the wrong direction or
undetected uncommanded
motion.
147
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BSR Selsyn Receiver Receives an electrical No output Loss of Selsyn data to the Op. No effect. 3
(Bridge) signal representing bridge Sup. PLC should generate a fault
drive motor speed and causing the SIS to remove the
direction, and drives a bridge & trolley permissives,
shaft connected to a dial halting bridge & trolley operation.
gage to indicate direction The supervisory PLC also
and amount of travel. A compares the secondary motor
signal is also provided to encoder to the joystick secondary
the Bridge Selsyn encoder potentiometer output to detect for
(BSE) and amplifier speed greater than commanded,
(BSEA) for display on a operation in the wrong direction,
digital distance display or motion without being
and to the Operators commanded.
supervisor PLC, slot 3.
the secondary motor uncommanded motion.
encoder to the Selsyn
position).
148
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

low) bridge secondary motor encoder
generates an error signal and
halts bridge & trolley operation.
could occur. However, the bridge
for error checking.
10 Gear Belt Drives the bridge Selsyn Breaks or slips The bridge Selsyn display would No effect. 3
receiver encoder and no longer rotate, or operate
bridge Selsyn display in erratically and loss of, or erratic
the crane cab. bridge Selsyn encoder data to the
supervisory PLC. Loss of, or
erratic data would be detected by
the SIS PLC and cause bridge &
trolley operation to halt.
149
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BSE Selsyn Encoder Dual quadrature channels, No output Loss of Selsyn data to the Op. No effect. 3
(Bridge) ½ cycle index, 1024 Sup. PLC. Supervisory PLC &
cycles / motor revolution. software would detect loss of data
Driven by the bridge and halt bridge & trolley
Selsyn receiver output operation.
shaft, senses the relative
motion of the Selsyn The supervisory PLC also
shaft, which is equivalent compared the bridge motor
to the bridge drive shaft encoder and joystick
direction and speed. potentiometer output to check for
Outputs 2 channels of speed greater than commanded,
data, A and B, to Bridge travel in the wrong direction, or
Selsyn Encoder Amplifier uncommanded motion.
(BSEA). Depending on
which channel is leading Multiple failures required.
or lagging, indicates
motor rotation direction.
150
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
The Selsyn provides an Erroneous output (high or Software compares secondary No effect. 3
output to the Operators low) motor encoder data to the Selsyn
supervisory PLC and to a data. If they are not equal, the
digital display for the software generates an error
operator to make very signal and halts bridge & trolley
small incremental operation. However, should the
movements (1/64th of an secondary motor encoder have a
inch) as required. concurrent failure, speed greater
than commanded or operation in
a direction other than
commanded would be possible
with another failure.
BSEA Selsyn Encoder Accepts motor speed and No output Loss of Selsyn data to the Op. No effect. 3
Amplifier (Bridge) direction data from the Sup. PLC. Supervisory PLC &
Bridge Selsyn Encoder software would detect loss of data
(BSE), and provides and halt bridge & trolley
outputs to the Bridge operation.
Distance Display (BDD)
and to the Operators The supervisory PLC also
Supervisor PLC, slot 3. compares the bridge motor
Used by the SIS for 1 encoder and joystick
function only. Compares potentiometer output to check for
the secondary motor speed greater than commanded,
encoder to the Selsyn travel in the wrong direction, or
value, and if the difference uncommanded motion.
> 0, causes a fault to Multiple failures required.
position).
151
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
The display is used by the Erroneous output (high or Erroneous Selsyn data to the Op. No effect. 3
operator to make very low) Sup. PLC and bridge distance
small incremental display. The operator could move
movements (1/64th of an the bridge farther than required.
inch) as required.
If the Supervisory PLC & software
detects a delta between the
Selsyn and motor encoder data, a
fault will cause bridge & trolley
The supervisory PLC also

compares the bridge motor
encoder and joystick
potentiometer output to check for
travel in the wrong direction, or
uncommanded motion.
None Selsyn dial pointer Provides a mechanical No output Loss of visual indication to crane No effect. 3
indication of bridge motor operator. Operator would stop
shaft rotation, to provide bridge and halt crane operations.
the crane operation with
distance and direction
information.
152
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. Indicator displays The Selsyn indicator is belt driven No effect. Correcting action 3
erroneous output from the Selsyn receiver. If the prevents impact of load with
b. Belt slips, internal belt were loose it would slip, and structure / personnel, and
mechanical failure of the indicator would read loss of life.
dial pointer erroneously. The operator could
c. N/A move bridge farther than
d. Operator will detect required. The digital display can
failure. also be used to determine travel
e. Operator could use the distance.
electrical BDD distance
display, or halt
operations
f. > 3 seconds
g. <= 3 seconds
BDD Bridge Distance Digital display, driven by No output to display Loss of visual indication to crane No effect. 3
Display the Bridge Sensor Encoder operator. Operator would stop
Amplifier (BSEA), that bridge and halt crane operations.
displays the gross bridge
distance traveled.
Also contains a Selsyn

indicator used to assist
the operator in moving
the bridge in 1/64 inch
increments.
153
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44503
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. Erroneous electronic The operator could move bridge No effect. Correcting action 3
display farther than required. Should the prevents impact of load with
b. Electrical failure, burn potential exist to run the load into structure / personnel, and
out of display something, the observer could hit loss of life.
segment(s). the e-stop to halt bridge
c. N/A operation. Selsyn dial indicator
d. Observer provides a redundant
e. Observer will use e- measurement.
stop if impact of load
with structure is
imminent
f. > 3 seconds
g. <= 3 seconds
154
SAA00029
Rev. A
Table 7. FMEA – Trolley Drive & Controls Pages 155 to 220
System/Subsystem: 200-Ton RPSF Bridge Crane / Trolley Drawing No.: Ederer F-42784,
PMN: K60-0562, K60-0563 F-44502
Reference: Fig. 8 & 11
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
None Gear Reducer Reduces the high motor Disengages Trolley motion would stop. No effect. 3
speed to low rpm for
trolley motion.
None Chain Connects the trolley motor Chain breaks The supervisory PLC compares No effect. 3
shaft to the trolley Selsyn the Trolley Selsyn encoder
transmitter, via pulleys. measurement with the trolley
motor encoder. If there is a
discrepancy between the
readings, the Supervisory PLC will
detect the fault and halt bridge
155
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Trolley) position, provides crane
operator control of speed,
travel direction and Trolley
brake release.
The joystick incorporates

dual potentiometers and
direction contacts.
feature, should the “off” position center position, and the trolley will prevent loss of life should
incapacitated, the c. NA selected direction and speed. incapacitated and the
joystick would return to d. A second crane “deadman” switch on the
the center off position, operator (observer) in See ground rule 3.i joystick also fail closed.
halting crane motion crane cab is present as
and setting the brakes. a backup to primary
crane operator
primary operator
f. > 3 seconds
g. <= 3 seconds
156
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Normally closed contact Mainline control contact Unable to operate crane. No effect. 3
up”. No effect on crane
operation after that.
Mainline control contact There are 3 additional normally No effect. 3
fails closed open series contacts (Main Hoist
joystick (MH), Bridge joystick
(BRI), Float potentiometer. (The
Aux hoist joystick is also in series,
but bypassed). These additional
contacts prevent power from
being inadvertently applied to the
mainline control circuit unless all
joysticks are in the neutral
position.
157
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Trolley south travel

Direction
Dual Contacts

the joystick to select
south trolley travel, two
normally open directional
contacts close as
described below:
• One contact closes to Normally open contact Loss of south travel direction No effect. 3
directly provide a fails open input to the Bridge & Trolley PLC.
discrete input to the Unable to operate trolley in south
Bridge & Trolley PLC, direction.
slot 6, on line 2036 to
indicate trolley south
the operator.
158
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
fails closed be provided with an erroneous
south trolley direction command.
However, without a concurrent
speed input from the
potentiometer, no motion would
occur.

trolley operation. Should the
supervisory system also fail,
uncommanded motion would
result.
relay TS which provides fails open be informed that trolley south
a discrete input to the travel has been commanded.
PLC, slot 5, on line 3544 The supervisory PLC’s would
for system monitoring detect uncommanded motion and
purposes. remove the bridge & trolley
permissives (BSP & BCSP).

be inhibited.
159
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

position, relay TS would continue
to be energized, and trolley south
Supervisory PLC.

stop condition.

Both direction contacts fail If both direction inputs (north and No effect. 3
closed south) are received at the same
time, the Supervisory PLC’s will
remove both permissives (BSP &
BCSP), inhibiting bridge & trolley
operation.
160
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Trolley north travel

Direction
Dual Contacts

the joystick to select north
travel, two normally open
directional contacts close
as described below:
• One contact closes to Normally open contact Loss of north travel direction No effect. 3
provide a discrete input fails open input to the Bridge & Trolley PLC.
to the Bridge & Trolley Unable to operate trolley in north
PLC, slot 5 on line 2037 direction.
to indicate trolley north
the operator.
161
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
fails closed be provided with a north trolley
direction command. However,
without a concurrent speed input
from the potentiometer, no
motion would occur.

trolley operation.
Should the supervisory system

also fail, uncommanded motion
would result.
relay TN that provides a fails open be informed that trolley north
discrete input to the travel has been commanded. The
Operators Supervisory supervisory PLC’s would detect
PLC, slot 5, on line 3544 uncommanded motion and
for system monitoring remove the bridge & trolley
purposes. permissives (BSP & BCSP).
be inhibited.
162
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
position, relay TN would continue
to be energized, and trolley north
Supervisory PLC.

stop condition.

Both direction contacts fail If both direction inputs (north and No effect. 3
closed south) are received at the same
time, the Supervisory System will
remove its permissives (BSP &
BSCP) inhibiting bridge & trolley
operation.
163
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Thumb switch allows Fails Open The thumb switch to manually N/A N/A
the operator to Fails Closed release the trolley brake has been
manually release the disconnected. The circuitry is still
Trolley brake (via Relay present, in case it is decided to be
logic TT & TBC). used, but is not currently used.
Joystick is equipped with

dual speed potentiometers
as described below:
• Center tapped No output Trolley speed would be set to zero No effect. 3

potentiometer outputs a (no motion). Unable to operate
(+/-) 0-10 VDC voltage trolley.
PLC, slot 2, for
commanding trolley
motor speed.
164
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
This potentiometer High output Voltage higher than expected No effect. 3
provides the voltage would be provided to the bridge &
(speed command) to drive trolley PLC, resulting in trolley
the trolley motor. The speed greater than commanded.
trolley motor speed and
direction is provided by A redundant speed potentiometer
the secondary motor provides an equivalent voltage to
encoder, and by the the supervisory PLC for
selsyn, to the Supervisory monitoring purposes.
PLC’s. The actual speed
(as provided by the If the supervisory PLC detects
secondary motor encoder speed higher than commanded,
and Selsyn, is compared the bridge & trolley permissives
to the commanded speed (BSP & BCSP) would be removed
(provided by the and bridge & trolley operation
redundant potentiometer would be inhibited. In addition,
input to the Supervisory the SIS checks to ensure that the
PLC), and if they are not potentiometer voltage returns to
the same, a fault is zero when the joystick is returned
generated, and the to the center “off” position.
supervisory PLC removes
its permissives, and halts Also reference Ground Rule c.
Low output A redundant speed potentiometer No effect. 3

provides an equivalent voltage to
the supervisory PLC for
monitoring purposes. If the
commanded speed does not
agree with the actual speed, then
a fault will cause the permissives
to be removed, and halt bridge
165
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Center tapped No output The Supervisory system would No effect. 3

potentiometer outputs a not be informed that trolley
(+/-) 0-10 VDC voltage motion has been commanded.
to the Operators The supervisory system would
Supervisory PLC, Slot 2, detect what it thinks is
indicating commanded uncommanded motion, remove
trolley speed for the bridge & trolley permissives
monitoring purposes. (BSP & BCSP), inhibiting bridge &
trolley operation.
High output The secondary potentiometer No effect. 3

voltage input for is used by the
supervisory PLC for detecting an
over-speed condition. This value
is used in a calculation, and an
erroneous high value would result
in an incorrect calculation. If the
actual speed does not equal the
speed expected by the SIS, a
fault will occur, halting bridge &
trolley operation.
In addition the SIS checks to

ensure the potentiometer voltage
returns to zero volts when the
“off” position.
166
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Low output The supervisory PLC would No effect. 3

compare its monitoring input with
the actual speed. Since the
supervisory PLC is getting an
erroneous low voltage, it would
think the trolley is operating at a
and remove the bridge & trolley
permissives (BSP & BCSP) to
inhibit trolley operation.
None Fine / Coarse Speed Selects fine (slow) or a. Fails open Unable to select fine (slow) speed No effect based on ground 3
Select switch coarse (fast) speed as (Fine speed position) for trolley travel. If the operator rule 3.c that says operator is
required by the operator. b. Mechanical failure, is changing speed from Coarse required to switch to slow
Switch is normally closed welded contacts (fast) to fine speed, neither speed speed within 10 feet of
in the Fine speed position. c. N/A input would be provided to the B structure, which will give
Provides an input to the d. Operator / observer will & T PLC. adequate time to intervene if
Operators Supervisory have to notice that a failure occurs.
PLC, Slot 5, and to the trolley speed did not No speed command would be
Bridge & Trolley PLC, Slot change as provided to the trolley motor. No Correcting action prevents
7, via relays TFS (Fine) or commanded. motion would occur. loss of life.
TCS (coarse). e. Move joystick to off
position, or press e- However, should the TCS relay
stop contacts not open (both contacts
f. > 3 seconds fail closed), the system would not
g. <= 3 seconds know that the operator has
changed speed from coarse to
fine. Trolley would continue
operation in coarse speed.
167
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Fails closed Unable to select coarse (fast) No effect. 3
(Fine speed position) speed for trolley travel.
Fails open Unable to select fast speed for No effect. 3

(Coarse speed position) trolley travel. Fine (slow) speed
would also not be selected. The
Operators Supervisory PLC (sheet
15) will detect loss of both speed
range inputs (line 3545 and
3546) and remove the bridge &
trolley permissives (BSP & BCSP),
operation.
(Coarse speed position) for Trolley operation when rule 3.c that says operator is
b. Mechanical failure, required. required to switch to slow
welded contacts speed within 10 feet of
c. N/A The Bridge & Trolley PLC and the structure, which will give
d. Operator will have to Operators Sup. PLC will continue adequate time to intervene if
notice that trolley to get a coarse (fast) speed input. a failure occurs.
speed did not change Trolley will continue motion in fast
as commanded. speed. Correcting action prevents
e. Move joystick to off loss of life.
position, or press e-
stop
f. > 3 seconds
g. <= 3 seconds
168
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
TCS Relay Energized when the Coil fails open / short SIS sheet 15 checks for neither No effect. 3
(Trolley Coarse operator selects coarse Both contacts fail open speed input present. The SIS will
Speed) speed, closes two detect a “trolley_no_spd_sel_flt”,
Line 2012 normally open relay remove the permissives and halt
(2 normally open contacts to command bridge & trolley operation.
contacts) trolley fast speed
operation.
(Line 2039) • Normally open relay Normally open contact For coarse speed operation, line No effect. 3
contact closes to provide fails open 18 (TCSODN) would not be true,
a discrete input to the and coarse speed operation would
Bridge & Trolley PLC, not be available for trolley
Slot 7, that Trolley operation. Trolley motion would
coarse speed has been stop.
selected by the
operator.
169
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
This contact is used for a. Normally open contact Bridge & Trolley PLC, Slot 7, No effect based on ground 3
one function only, line 18 fails closed (TPLCDI) would be provided with rule 3.c that says operator is
of the TSpeed logic, which b. Mechanical failure or an erroneous coarse (fast) speed required to switch to slow
will make TCSODN welded contacts input (as well as a fine speed speed within 10 feet of
(Trolley Motor Speed c. N/A input). This failure would be structure, which will give
Command Logic) true if d. Operator will have to undetected if everything else adequate time to intervene if
trolley fine speed is not notice that trolley works normally. The B & T a failure occurs.
selected, neither slow limit speed did not change software would perform normally,
switch is tripped, and as commanded. and fine speed will be provided to Correcting action prevents
trolley coarse speed is e. Move joystick to off the trolley motor. loss of life.
selected. TCSODN, when position, or press e-
true, allows the speed stop If the Fine / Coarse speed select
output from the PLC to f. > 3 Seconds switch should fail open during a
the TDPM. g. <= 3 Seconds transition from coarse speed to
fine speed, coarse speed would
continue.
(Line 3546) • Normally open relay TCS Normally open Coarse speed is commanded, but
contact closes to provide a contact fails open unable to provide coarse speed
discrete input to the input to Operators Supervisory
Operators Supervisory PLC. The bridge & trolley PLC
PLC that Trolley coarse would command the trolley to
speed has been selected operate in coarse speed.
by the operator. Used by
the SIS software for 3
functions.
170
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
If the mainline contactor is The intent is to check the fine /
energized, checks that coarse speed select switch is OK,
both coarse and fine and associated relays (TFS &
speed inputs are not TCS). If there were a failure
present at the same time. where both fine and coarse speed
If they are, then a fault is inputs were simultaneously
generated. provided, then the failure would
(trolley_speed_sel_fault) not be detected by the SIS.
which will halt bridge &
trolley operation. The bridge & trolley PLC, with
both inputs applied, would
operate in slow speed.
Also checks for neither SIS sheet 15 checks for neither No effect. 3
input being provided. Fine speed input present. The SIS will
or coarse speed should be detect a “trolley_no_spd_sel_flt”,
provided, depending on remove the permissives and halt
the position of the fine / bridge & trolley operation.
coarse speed select
switch.
171
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
software uses a “select” get the input telling it coarse
function to determine speed had been selected. The
which scaling factor to use SIS software would not select the
to multiply the secondary proper scaling factor for
joystick potentiometer calculating “trolley_cmd_rpm” for
input by. This value then coarse speed.
becomes the
“trolley_cmd_rpm”, which The SIS software function selects
is used on sheet 27, Motor fine speed if coarse speed is not
response vs. command, to selected. Speed greater than
determine if the actual commanded will not occur.
trolley speed is equal to
the commanded speed.

subtracts the trolley trolley encoder freq and the
(motor) encoder trolley disp freq, then the trolley
(“trolley_enc_freq”) from trip.
the trolley display (Selsyn)
frequency Even though this function would
(“trolley_disp_freq”) not execute, the function on
greater than allowed, then and actual trolley motor speed,
based on which speed is permissives.
172
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
TCS Normally open Sheet 15 No effect. 3

input that Coarse (fast) speed has
Every time fine speed is selected,

would be provided with both
speed range inputs (fine &
coarse), which would cause a
fault (trolley_speed_sel_fault) to
operation.
trolley_cmd_rpm value which is
cmd function on sheet 27. The
software is written such that if the
coarse speed relay fails closed,
fine speed will take precedence.
A fault will be tripped since the
actual speed will not equal the
commanded speed.
173
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
exits, the coarse relay failing
erroneous trolley coarse display
fault as well as the fine display
fault.
a. Both TCS relay Both fine speed and coarse speed No effect based on ground 3
contacts fail closed inputs would be provided to the rule 3.c that says operator is
b. Mechanical failure, Bridge & Trolley PLC and the required to switch to slow
welded contacts Operators Supervisory PLC. speed within 10 feet of
c. N/A structure, which will give
d. Operator / observer With both speed inputs provided adequate time to intervene if
could detect trolley to the Operators Supervisory PLC, a failure occurs.
speed is not as a fault (trolley_speed_sel_fault)
expected. would occur (SIS sheet 15). The Correcting action prevents
e. Return joystick to SIS would remove both bridge & loss of life.
center off position or trolley permissives, inhibiting
press e-stop. bridge and trolley operation.
f. > 3 seconds
g. <= 3 seconds However, a concurrent failure of
relay TFS to energize, or both TFS
relay contacts fail open, trolley
speed greater than desired would
occur.
174
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
TFS Relay Energized when the a. Coil fails open / short Unable to provide a fine speed No effect based on ground 3
(Trolley Fine Speed) operator selects fine (both contacts fail input to the bridge & trolley PLC rule 3.c that says operator is
Line 2011 (slow) speed, closes two open) and the Supervisory PLC. Bridge required to switch to slow
normally open relay b. Electrical failure, & Trolley PLC would be unable to speed within 10 feet of
2 Normally open contacts to initiate trolley physical failure of coil command fine (slow) speed for structure, which will give
contacts slow speed operation. or leads/connection trolley travel. Trolley would not adequate time to intervene if
points operate. a failure occurs.
c. N/A
d. Operator / observer However, a concurrent failure of Correcting action prevents
could detect trolley relay TCS, where both relay loss of life.
speed is not as contacts fail closed, the Bridge &
expected. Trolley PLC, Tspeed software line
e. Return joystick to 18, would command the trolley
center off position or motor to operate in coarse speed.
press e-stop.
f. > 3 seconds Since the supervisory PLC would
g. <= 3 seconds only have coarse speed inputs (no
fine speed inputs), undetected
speed faster than commanded
would occur.
175
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 2046) • Normally open relay TFS relay normally open Input to the B & T PLC would be No effect. 3
contact closes to provide contact fails open an “off” condition. Unable to
a discrete input to the execute the Fine (slow) speed
Bridge & Trolley PLC, calculation (TFSCC) for bridge
slot 7 (BTPLCDI), that operation (line 12). Trolley would
trolley Fine speed has not operate.
been selected by the
operator. A concurrent failure of relay TCS
contact to the bridge & trolley PLC
Used by two lines of failing closed would result in
code in the Bridge & TCSODN being true (line 18), and
Trolley software. a coarse speed command being
Examined for an “on” issued to the trolley drive power
condition (line 12) to modules. Trolley speed would be
perform the trolley fine faster than commanded.
speed calculation
(TFSCC). However, the Operators
Supervisory PLC would also be
Examined for an “off” provided with an indication that
condition (line 18) in fine speed is selected, by the
addition to an “on” second TFS relay contact. The
condition for coarse Operators Supervisory PLC would
speed command compare the secondary motor
(TCSODN). encoder output with the
calculated speed that the speed is
greater than commanded, and
halt bridge and trolley operation.

commanded.
176
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
TFS relay normally open The Bridge & Trolley PLC would No effect. 3
contact fails closed continuously be provided with a
Fine (slow) speed input. (The
Operators Supervisory PLC is also
provided with a separate relay
contact closure, which would be
open).

to the B & T PLC, the trolley
motor would operate in fine
speed.
When coarse speed is

commanded, the supervisory PLC
would be expecting coarse speed
operation, when the trolley motor
would be operating in fine speed.
The supervisory PLC will detect a
delta between commanded speed
and actual speed, remove the
permissives, and halt B & T
operation.
A failure resulting in speed slower

than commanded is not a critical
failure.
177
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 3545) • Normally open relay TFS relay normally open Effects assessed below.
contact closes to provide contact fails open
PLC that trolley fine
speed has been selected
by the operator.
Used by the SIS for 3

software functions.

If the mainline contactor is If there were a failure where both
energized, checks that fine and coarse speed inputs were
both coarse speed and simultaneously provided, then the
fine speed inputs are not failure would not be detected by
present at the same time. the SIS.
If they are, then a fault is
generated. The bridge & trolley PLC, with
(trolley_speed_sel_fault) both inputs applied, would
which will halt bridge & operate in slow speed. The SIS
trolley operation. would think coarse speed is
commanded. The SIS would
178
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Also, checks for neither No effect. Would also require No effect. 3

input being provided. coarse speed to not be present
Either fine or coarse speed also.
should be provided,
depending on the position
of the fine / coarse speed
select switch.

software uses a “select” get the input telling it fine speed
function to determine had been selected. The SIS
which scaling factor to use software function selects fine
to multiply the secondary speed if coarse speed is not
joystick potentiometer selected.
input by. This value then
becomes the If a concurrent failure of the
“trolley_cmd_rpm”, which coarse speed input failing high
is used on sheet 27, Motor would be detected by the
response vs. command, to software on sheet 15, and cause
determine if the actual a “trolley_speed_sel_fault” to
trolley speed is equal to occur, and the SIS would remove
the commanded speed. the bridge & trolley permissives,
halting operation.
179
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
subtracts the trolley trolley encoder freq and the
(motor) encoder trolley disp freq, then the trolley
(“trolley_enc_freq”) from trip.
the trolley display (Selsyn)
frequency Even though this function would
(“trolley_disp_freq”) not execute, the function on
greater than allowed, then and actual trolley motor speed,
based on which speed is permissives, halting operation.
TFS Normally open Sheet 15 No effect. 3

input that Fine (slow) speed has
Every time coarse speed is

selected, the Operators
Supervisory PLC would be
provided with both speed range
inputs (fine & coarse), which
would cause a fault
(trolley_speed_sel_fault) to
operation.
180
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
trolley_cmd_rpm value which is
cmd function on sheet 27. Fine
speed will be calculated.
exits, the fine speed relay failing
erroneous trolley fine display fault
as well as the coarse display fault.
Both TFS relay contacts Both fine speed and coarse speed No effect. 3
fail closed inputs would be provided to the
Bridge & Trolley PLC and the

a fault (trolley_speed_sel_fault)
would occur (SIS sheet 15). The
SIS would remove both bridge &
trolley permissives, inhibiting
bridge and trolley operation.
181
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
TN Relay Energized when the Coil fails open / short Loss of north direction input to
(Trolley North) operator moves the Contact fails open Operator Supervisory PLC. The
Line 2017 joystick to the left, one input to the Sup. PLC is for fault
1 normally open normally open relay detection only, does not provide a
contact contact closes to provide direction command to the trolley
an indication to the motor. That is done by the
(Line 3544) supervisory system that bridge & trolley PLC.
trolley motion in the north
commanded by the
operator.

functions:
ensure trolley joystick This assumes the joystick is in the
north direction is not center “off” position, and only the
being commanded at direction contact has failed
startup (SIS sheet 13) closed. The SIS would not detect
a failure of the trolley joystick
north direction contacts failing
is not present. Even though a
182
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

directions (trolley north the north direction input. Should
and south) are not both trolley joystick direction
checks that, if a north command
is present that the south
command is not present. No
motion would occur.
• Checks for a failure of Potentially, if the trolley joystick No effect. 3

the trolley joystick. If a north contact has failed closed,
voltage is present with but the input to the PLC has failed
neither direction input open, and a potentiometer
present (SIS sheet 16) voltage is present, it would not be
trolley joystick (erroneous north
183
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

trolley_cmd_rpm value value for trolley_cmd_rpm. If the
(SIS sheet 26) TN relay contact fails open, the
value.
184
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

(uncommanded motion) So, when trolley north direction is

fail closed.)
185
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Checks that the brake is When the trolley north direction is No effect. 3
set if no direction commanded, the trolley north
sheet 28) and the trolley_brake_fault (420)

If the trolley north relay contact
operation.

When a trolley south command is
186
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

If a trolley north command is
on the logic. If a trolley south
would be provided.

If a trolley north command is
on the logic. If a trolley south
would be provided.
187
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

constant trolley north direction
indication. Should the trolley
is always present. When a south
TS Relay Energized when the Coil fails open / short Loss of south direction input to
(Trolley South) operator moves the Contact fails open Operator Supervisory PLC. The
Line 2015 joystick to the right, one input to the Sup. PLC is for fault
1 normally open normally open relay detection only, does not provide a
contact contact closes to provide direction command to the trolley
an indication to the motor. That is done by the
(Line 3544) supervisory system that bridge & trolley PLC.
trolley motion in the south
commanded by the
operator.

functions:
188
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

ensure trolley joystick This assumes the joystick is in the
south direction is not center “off” position, and only the
being commanded at direction contact has failed
startup (SIS sheet 13) closed. The SIS would not detect
a failure of the trolley joystick
north direction contacts failing
is not present. Even though a

189
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

directions (trolley north the south direction input. Should
and south) are not both trolley joystick direction
checks that, if a north command
is present that the south
command is not present. No
motion would occur.
• Checks for a failure of Potentially, if the trolley joystick No effect. 3

the trolley joystick. If a south contact has failed closed,
voltage is present with but the input to the PLC has failed
neither direction input open, and a potentiometer
present (SIS sheet 16) voltage is present, it would not be
trolley joystick (erroneous south

trolley_cmd_rpm value value for trolley_cmd_rpm. If the
(SIS sheet 26) TS relay contact fails open, the
value.
190
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

(uncommanded motion) So, when trolley south direction is

fail closed.)
191
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Checks that the brake is When the trolley south direction is No effect. 3
set if no direction commanded, the trolley south
sheet 28) and the trolley_brake_fault (420)

If the trolley south relay contact
operation.

When a trolley north command is
192
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
If a trolley south command is
on the logic. If a trolley north
would be provided.

If a trolley south command is
on the logic. If a trolley north
would be provided.

constant trolley south direction
indication. Should the trolley
brake not set, the fault would
is always present. When a north
193
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
None Thumb Button Normally open manual Fails open The thumb button for brake N/A N/A
push button, when Fails closed release is installed, but
pressed, energizes relay disconnected.
TT to allow the operator to
manually release the
trolley brake.
TT Relay When the operator Coil fails open / short The trolley brake has been N/A N/A
(Trolley Brake presses the thumb button assessed as non-critical and is not
Release) on the Trolley joystick, analyzed. See ground rule 3.g.
Line 2019 relay TT is energized,
(3 normally open which releases the trolley
contacts) brake.
(Line 2010) • Normally open relay Relay contact fails open The trolley brake has been N/A N/A
contact, when closed, assessed as non-critical and is not
energizes relay TBC analyzed. See ground rule 3.g.
(Trolley Brake
Contactor) which
actually releases the
trolley brake.
Normally open contact The trolley brake has been N/A N/A
fails closed assessed as non-critical and is not
analyzed. See ground rule 3.g.
194
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
provides discrete input analyzed. See ground rule 3.g.
to Bridge & Trolley PLC,
slot 5, that the brake
have been commanded
to release.
Relay contact fails closed The trolley brake has been N/A N/A
assessed as non-critical and is not
provides discrete input analyzed. See ground rule 3.g.
to Operators
supervisory PLC, slot 5,
that the trolley brake
has been commanded
to release.
Relay contact fails closed The trolley brake has been N/A N/A
assessed as non-critical and is not
195
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
TBR Relay Energized by the Trolley Coil fails open / short The trolley brake has been N/A N/A
(Trolley Brake Relay) Drive Power Module assessed as non-critical and is not
Line 2138 (TDPM), closes 2 normally analyzed. See ground rule 3.g.
open relay contacts.
(2 normally open
contacts) When relay TBR contact
closes, relay TBC is
energized, which releases
the trolley brake.
(Line 2009) Energizes Trolley Brake Normally open contact The trolley brake has been N/A N/A
Contactor relay TBC to fails open assessed as non-critical and is not
release the trolley brake. analyzed. See ground rule 3.g.
(Line 2038) Provides 1 of 2 enables Normally open contact The trolley brake has been N/A N/A
(along with TBC to provide fails open assessed as non-critical and is not
a discrete input to the analyzed. See ground rule 3.g.
bridge & trolley PLC, slot
7, indicating the trolley
brake have been
196
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
TBC Relay Energized by either relay Coil fails open / short The trolley brake has been N/A N/A
(Trolley Brake contact TT, or relay assessed as non-critical and is not
Contactor) contact TBR. When analyzed. See ground rule 3.g.
2009 energized, closes relay
contacts to release the
(3 normally open trolley brake, provides
contacts) discrete inputs to the
Bridge & Trolley PLC line
2038 and energizes Relay
TBR2.
(Line 1075) • Two normally open Normally open contacts The trolley brake has been N/A N/A
ganged relay contacts fail open assessed as non-critical and is not
close to provide 460 analyzed. See ground rule 3.g.
VAC to the trolley brake
to release it.
Normally open contacts The trolley brake has been N/A N/A
fail closed assessed as non-critical and is not
(Line 2038) • One normally open relay Normally open contact The trolley brake has been N/A N/A
contact closes to provide fails open assessed as non-critical and is not
a discrete input, along analyzed. See ground rule 3.g.
with relay TBR contact,
PLC, slot 7, that the
trolley brake has been
197
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 2007) • One normally open relay Normally open contact The trolley brake has been N/A N/A
contact closes to fails open assessed as non-critical and is not
energize relay TBR2. analyzed. See ground rule 3.g.
TBR2 Relay • One normally open relay Normally open contact The trolley brake has been N/A N/A
Trolley Brake Relay 2 contact closes to provide fails open assessed as non-critical and is not
1 normally open a discrete input to the analyzed. See ground rule 3.g.
contact Crane Supervisory PLC
(Line 3034) that the trolley brake
has been commanded to
release.
198
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
North-Slow Limit Switch Provides an input to the Fails open The bridge & trolley PLC will be No effect. 3
When the limit switch is the north slow limit switch has
opened (tripped), the been tripped. Trolley will be
software will automatically in the north direction. Trolley will
switch the Trolley to Fine operate in fine (slow) speed mode
(slow) speed mode when only, while moving in north
moving in the North direction.
direction.
SIS. c. N/A slow. Trolley will continue north concurrent failure of joystick
recognize that trolley selected).
has entered a slow
in coarse speed, and speed as the trolley approaches
f. > 3 seconds
g. <= 3 seconds
199
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
South-Slow Limit Switch Provides an input to the Fails open The bridge & trolley PLC will be No effect. 3
When the limit switch is the south slow limit switch has
opened (tripped), the been tripped. Trolley will be
software will automatically in the south direction. Trolley will
switch the Trolley to Fine operate in fine (slow) speed mode
(slow) speed mode when only, while moving in south
moving in the south direction.
direction.
SIS. c. N/A slow. Trolley will continue south concurrent failure of joystick
recognize that Trolley selected).
has entered a slow
in coarse speed, and speed as the trolley approaches
f. > 3 seconds
g. <= 3 seconds
200
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
North-Stop Limit Switch Allows or inhibits a north Fails open Input to the bridge and trolley No effect. 3
trolley drive power Bridge & Trolley PLC would not
module. When closed, turn on the north direction output
allows a north direction to the Trolley Drive Power
command to the trolley Module. The Trolley Drive Power
drive power module, and Module is inhibited from operating
when tripped, removes with input missing. Trolley north
the direction command travel will be inhibited. South
from the trolley drive travel is unaffected.
power module, halting
trolley motion. The trolley
south direction to
line only (Main line 30) of
the B & T software.

SIS.
a. Fails closed Trolley will continue past Should a concurrent failure of 3

b. Mechanical failure maximum allowed north travel. the trolley joystick or bridge
c. N/A Hard stops will stop trolley, or & trolley PLC occur,
recognize that trolley operation. trolley motion if limit switch is
maximum travel limit, Trolley operation is not allowed preventing possible loss of life
f. > 3 seconds
g. <= 3 seconds
201
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
South-Stop Limit switch Allows or inhibits a south Fails open Input to the bridge and trolley No effect. 3
trolley drive power Bridge & Trolley PLC would not
module. When closed, turn on the south direction output
allows a south direction to the Trolley Drive Power
command to the trolley Module. The Trolley Drive Power
drive power module, and Module is inhibited from operating
when tripped, removes with input missing. Trolley south
the direction command travel will be inhibited. North
from the trolley drive travel is unaffected.
power module, halting
trolley motion. The trolley
north direction to
line only (Main line 32) of
the B & T software.

SIS.
202
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. Fails closed Trolley will continue past Should a concurrent failure of 3

b. Mechanical failure maximum allowed south travel. the trolley joystick or bridge
c. N/A Hard stops will stop trolley, or & trolley PLC occur,
recognize that trolley operation. trolley motion if limit switch is
maximum travel limit, Trolley operation is not allowed preventing possible loss of life
f. > 3 seconds
g. <= 3 seconds
203
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
TDPM Trolley Drive Power Accepts operator a. Drives Trolley motor in The Op. Sup. PLC receives an No effect. 3
Module commands from the wrong direction input from relay TN or TS
Trolley Joystick (via the b. Internal failure of indicating commanded direction.
Bridge & Trolley PLC) for electrical device The secondary joystick
speed and direction, c. N/A potentiometer output is used,
releases the Trolley brake d. SIS is programmed to along with the coarse / fine switch
(via relay logic) and drives detect this failure input to calculate a trolley rpm
the trolley motor in the e. SIS would remove value. This value is then
commanded speed and both bridge & trolley compared to the trolley secondary
direction. permissives, halting motor encoder output. The SIS
bridge & trolley will detect if motor direction is not
operation as commanded, and will remove
f. > 3 seconds both bridge & trolley permissives,
g. <= 3 seconds halting bridge & trolley operation.

travel in the wrong direction with
a concurrent failure of the SIS
system. The SIS has redundant,
204
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Drives trolley motor at The Op. Sup. PLC receives a No effect. 3
speed greater than voltage from a second joystick
commanded potentiometer, indicating the
commanded speed. The trolley
(actual speed) and a calculated
value based on the second
potentiometer value will be
compared. If they are not equal,
the SIS will remove both bridge &
trolley permissives, halting bridge
The SIS checks that the

potentiometer voltage returns to
zero volts when the joystick is
returned to the center “off”
position. Also, reference ground
rule c.
Drives Trolley motor at Trolley would operate slower than No effect. 3

speed less than required. A failure resulting in
commanded motion slower than commanded
is assessed as a non-critical
failure.
205
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. Inadvertent output The trolley secondary motor No effect. 3
causing motor encoder provides motor operation
operation in either monitoring to the Crane
direction Supervisory PLC, Slot 2. In
b. Internal electrical addition, the Trolley Selsyn also
failure provides motor speed and
c. N/A direction input to the Operator
d. The SIS PLC is Supervisory PLC, Slot 2. The
programmed to detect supervisory PLCs would detect
uncommanded motion uncommanded motion and inhibit
e. Supervisory PLC will bridge & trolley operation.
remove both bridge &
trolley permissives, Potential for loss of life with
halting bridge & trolley concurrent failure of SIS system.
operation. However, the SIS system is
f. Seconds comprised of redundant, safety
g. Immediate certified PLCs.
206
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. Internal failure The primary motor encoder No effect. 3

resulting in loss of or provides motor speed and
corrupted Trolley motor direction information to the TDPM
encoder data for feedback control. Should the
b. Internal electronics encoder information be corrupted,
circuit failure the TDPM could provide
c. N/A erroneous control of the motor,
d. The SIS PLC is causing incorrect direction or
programmed to detect speed operation. The trolley
uncommanded motion secondary motor encoder
e. Supervisory PLC will provides motor speed and
remove both bridge & direction information to the Sup.
trolley permissives, PLC, as well as a Selsyn. If the
halting bridge & trolley motor speed and direction is not
operation. as commanded, the Sup. PLC will
f. Seconds remove both bridge & trolley
g. Immediate permissives, and halt bridge and
trolley operation.

speed faster than commanded or
motion in an uncommanded
direction with a concurrent failure
of the SIS system. The SIS
system is comprised of
207
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Fails to issue Brake The brake has been assessed as N/A N/A
release command non-critical, so inadvertent
rule 3.g.
Erroneous brake release The brake has been assessed as N/A N/A
command issued non-critical, so inadvertent
rule 3.g.
Trolley Motor with two motor
encoders
None Trolley Motor with Moves the trolley in the Motor has no output Unable to move trolley. No effect. 3
two Encoders commanded speed and
direction as provided by
the Trolley Drive Power
Module.
Motor has low output Trolley would move at a speed No effect. 3
slower than commanded or not at
all.
Primary Motor Encoder No output Loss of encoder input would No effect. 3

– provides two channels of cause the Trolley Drive Power
motor speed and direction Module to shut down. Trolley
information to the Trolley would not move.
Drive Power Module
(TDPM) for feedback
control. Outputs 1024
cycles / motor revolution.
208
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous output Motor could operate at a speed No effect. 3

greater than commanded or in
the opposite direction. The trolley
secondary motor encoder and
trolley Selsyn provides motor
Sup. PLC, which would detect that
actual motor speed is greater
than commanded, and halt bridge
Secondary Motor No output Loss of encoder data to Crane No effect. 3

Encoder – provides two Sup. PLC. Supervisory PLC &
channels of motor speed software would detect loss of data
and direction information and halt bridge & trolley
to the Trolley Encoder operation. Multiple software
Amplifier (PTEA) for error functions would detect a fault,
checking monitoring by which would result in both bridge
the Crane Supervisor PLC & trolley permissives to be
(Slot 2). Outputs 1024 removed, halting bridge & trolley
cycles / motor revolution. operation.
209
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous output The secondary motor encoder, No effect. 3

trolley Selsyn, and trolley joystick
secondary potentiometer provides
inputs to the SIS supervisory PLC.
Multiple SIS software functions
would cause a fault, which would
result in both bridge & trolley
PTEA “PES” Trolley Accepts two channels of No output Loss of encoder data to Crane No effect. 3
Encoder Amplifier data from the Trolley Sup. PLC. Supervisory PLC &
monitoring by the Crane functions would detect a fault,
operation.
210
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous output The Supervisory PLC would be No effect. 3
provided with erroneous trolley
motor encoder data. The SIS
performs several software checks
to ensure correct system
operation. Since the data is
erroneous, the SIS supervisory
PLC would detect a delta between
the monitored inputs. The SIS
software functions would cause a
fault, which would result in both
bridge & trolley permissives being
operation.
211
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Trolley Selsyn
TST Selsyn Transmitter Converts Trolley drive No output Loss of Selsyn data to the Op. No effect. 3
(Trolley) shaft speed and direction Sup. PLC will generate a fault
is sent to the Trolley bridge & trolley permissives,
Selsyn receiver in the halting bridge & trolley operation.
crane operators cab to The supervisory PLC also
measure Trolley drive compares the secondary motor
shaft distance traveled encoder to the joystick secondary
and direction for display potentiometer output to detect for
on the distance display speed greater than commanded,
and is provided to the operation in the wrong direction,
Operators Supervisory or motion without being
PLC for monitoring commanded.
purposes.
encoder to the Selsyn motion.
position).
212
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

low) trolley secondary motor encoder
generates a fault and halts bridge
& trolley operation. However,
should the secondary motor
encoder have a concurrent
could occur. However, the trolley
for error checking.

motion.
213
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
TSR Selsyn Receiver Receives an electrical No output Loss of Selsyn data to the Op. No effect. 3
(Trolley) signal representing trolley Sup. PLC should generate a fault
direction, and drives a bridge & trolley permissives,
shaft connected to a dial halting bridge & trolley operation.
gage to indicate direction The supervisory PLC also
and amount of travel. A compares the secondary motor
signal is also provided to encoder to the joystick secondary
the Trolley Selsyn encoder potentiometer output to detect for
(TSE) and amplifier speed greater than commanded,
(TSEA) for display on a operation in the wrong direction,
digital distance display or motion without being
and to the Operators commanded.
supervisor PLC, slot 3.
the secondary motor uncommanded motion.
encoder to the Selsyn
position).
214
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

low) trolley secondary motor encoder
generates a fault and halt bridge
& trolley operation. However,
should the secondary motor
encoder have a concurrent
could occur. However, the trolley
for error checking.
10 Gear Belt Drives the trolley Selsyn Breaks or slips The Selsyn display would no No effect. 3
receiver encoder and longer rotate, or operate
trolley Selsyn display in erratically and loss of, or erratic
the crane cab. trolley Selsyn encoder data to the
supervisory PLC. Loss of, or
erratic data would be detected by
the SIS PLC and cause bridge &
trolley operation to halt.
215
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
TSE Selsyn Encoder Dual quadrature channels, No output Loss of Selsyn data to the Op. No effect. 3
(Trolley) ½ cycle index, 1024 Sup. PLC. Supervisory PLC &
Driven by the Trolley and halt bridge & trolley
Selsyn receiver output operation.
shaft, senses the relative
motion of the Selsyn The supervisory PLC also
shaft, which is equivalent compared the trolley motor
to the Trolley drive shaft encoder and joystick
direction and speed. potentiometer output to check for
Outputs 2 channels of speed greater than commanded,
data, A and B, to Trolley travel in the wrong direction, or
Selsyn Encoder Amplifier uncommanded motion.
(TSEA). Depending on
which channel is leading Multiple failures required.
or lagging, indicates
motor rotation direction.
216
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
digital display for the software generates an error
operator to make very signal and halts bridge & trolley
small incremental operation. However, should the
movements (1/64th of an secondary motor encoder have a
inch) as required. concurrent failure, speed greater
than commanded or operation in
a direction other than
commanded would be possible
with another failure.
TSEA Selsyn Encoder Accepts motor speed and No output Loss of Selsyn data to the Op. No effect. 3
Amplifier (Trolley) direction data from the Sup. PLC. Supervisory PLC &
Trolley Selsyn Encoder software would detect loss of data
(TSE), and provides and halt bridge & trolley
outputs to the Trolley operation.
Distance Display (TDD)
and to the Operators The supervisory PLC also
Supervisor PLC, slot 3. compares the trolley motor
Used by the SIS for 1 encoder and joystick
function only. Compares potentiometer output to check for
the secondary motor speed greater than commanded,
encoder to the Selsyn travel in the wrong direction, or
value, and if the difference uncommanded motion.
> 0, causes a fault to Multiple failures required.
position).
217
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
operator to make very low) Sup. PLC and trolley distance
movements (1/64th of an the trolley farther than required.
inch) as required.
fault will cause bridge & trolley

compares the trolley motor
uncommanded motion.
None Selsyn dial pointer Provides a mechanical No output Loss of visual indication to crane No effect. 3
indication of trolley motor operator. Operator would stop
shaft rotation, to provide trolley and halt crane operations.
the crane operation with
distance and direction
information.
218
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. Indicator displays The Selsyn indicator is belt driven No effect. Correcting action 3
erroneous output from the Selsyn receiver. If the prevents impact of load with
b. Belt slips, internal belt were loose it would slip, and structure / personnel, and
mechanical failure of the indicator would read loss of life.
dial pointer erroneously. The operator could
c. N/A move trolley farther than
d. Operator will detect required. The digital display can
failure. also be used to determine travel
e. Operator could use the distance.
electrical TDD distance
display, or halt
operations
f. > 3 seconds
g. <= 3 seconds
TDD Trolley Distance Digital display, driven by No output to display Loss of visual indication to crane No effect. 3
Display the Trolley Sensor operator. Operator would stop
Encoder Amplifier (TSEA), trolley and halt crane operations.
that displays the gross
trolley distance traveled.

the trolley in 1/64 inch
increments.
219
SAA00029
Rev. A
PMN: K60-0562, K60-0563 F-44502
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. Erroneous electronic The operator could move trolley No effect. Correcting action 3
display farther than required. Should the prevents impact of load with
b. Electrical failure, burn potential exist to run the load into structure / personnel, and
out of display something, the observer could hit loss of life.
segment(s). the e-stop to halt trolley
c. N/A operation. Selsyn dial indicator
d. Observer provides a redundant
with structure is
imminent
f. > 3 seconds
g. <= 3 seconds
220
SAA00029
Rev. A
Table 8. Electrical FMEA – 200-Ton Hoist Drives & Controls Pages 221 to 331
System/Subsystem: 200-Ton RPSF Bridge Crane / Drawing No.: Ederer F-42784
PMN: K60-0562, K60-0563 Reference: Fig. 10 & 11
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HOIST
(Hoist Drive) position, provides crane
(Line 2534) operator control of speed,
travel direction and Hoist
brake release.
feature, should the “off” position center position, and the hoist will prevent loss of life should
incapacitated for some c. N/A selected direction and speed. incapacitated and the
reason, the joystick d. A second crane “deadman” switch on the
would return to the operator (observer) in See ground rule 3.i joystick also fail closed.
center off position, crane cab is present as
halting hoist motion and a backup to primary
setting the brakes. crane operator
primary operator
f. > 3 seconds
g. <= 3 seconds
221
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Normally closed contact Mainline control contact Unable to operate the hoist. No effect. 3
up”. No effect on the
circuit after that.
Mainline control contact There are additional series No effect. 3
fails closed contacts (Bridge joystick (BRI),
Trolley joystick (TROL), Float
potentiometer, Hoist Cab Sup.
Permissive (HCSP) from
Operators Sup. PLC slot 5, and
HSP from Crane Supervisory PLC,
Slot 4, that that prevents the
power from being inadvertently
applied to the hoist mainline
control circuit.
222
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Dual raise directional

contacts
• When the operator Hoist Raise direction Unable to provide an input to the No effect. 3
moves the joystick to contact fails open hoist drive power module to
command hoist raise, operate the hoist motor in the
the output of the upward direction to lift the load
joystick energizes relay using the joystick.
HJR, which provides a
discrete input to the No effect on float mode operation.
Hoist Drive Power
Module (Line 2622)
which provides a raise
command the Hoist
Drive Power Module.
Hoist Raise direction Hoist drive power module would No effect. 3
contact fails closed be provided with a continuous
raise command.
To have uncommanded hoist

motion would require additional
failures of relay HR contact failing
closed, which provides a
monitoring indication to the
supervisory PLC, and a speed
command (voltage) from both
potentiometers. Multiple failures
required.
223
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• When the operator Hoist Raise direction The Supervisory system would No effect. 3
moves the joystick to contact fails open not be aware that hoist raise has
command hoist raise, been commanded. It would think
the output of the that hoist motion would be
joystick energizes relay uncommanded, remove the hoist
HR, which provides a permissives (HCSP and HSP) and
discrete input to the halt hoist operation.
PLC, Slot 5, (Line 3533)
for system monitoring.
Hoist Raise direction The supervisory system would be No effect. 3
contact fails closed provided with a continuous
indication that hoist raise has
been commanded by the
operator.
Should motion occur, due to

additional failures, the
supervisory PLC would not detect
this as a failure.

failures of relay HJR contact
failing closed, and a speed
potentiometers.
224
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Dual lower directional

contacts
• When the operator Hoist Lower direction Unable to provide an input to the No effect. 3
moves the joystick to contact fails open hoist drive power module to
command hoist lower, operate the hoist motor in the
the output of the downward direction to lower the
joystick energizes relay load using the joystick.
HJL, which provides a
discrete input to the No effect on float mode operation.
Hoist Drive Power
Module (Line 2625)
which provides a lower
command the Hoist
Drive Power Module.
Hoist Lower direction Hoist drive power module would No effect. 3
lower command.

failures of relay HL contact failing
closed, which provides a
monitoring indication to the
supervisory PLC, and a speed
potentiometers.
225
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• When the operator Hoist Lower direction The Supervisory system would No effect. 3
moves the joystick to contact fails open not be aware that hoist lower has
command hoist lower, been commanded. It would think
the output of the that hoist motion would be
joystick energizes relay uncommanded, remove the hoist
HL, which provides a permissives (HCSP and HSP) and
discrete input to the halt hoist operation.
PLC, Slot 5, (Line 3534)
for system monitoring.
Hoist Lower direction The supervisory system would be No effect. 3
indication that hoist lower has
operator.
Should motion occur, due to

additional failures, the
supervisory PLC would not detect
this as a failure.

failures of relay HJL contact failing
closed, and a speed command
(voltage) from both
potentiometers.
226
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Thumbswitch allows the Fails Open Unable to energize relay HFP No effect. 3
operator to enable hoist (hoist float permissive), which
float mode (via Relay allows hoist float mode operation.
logic HT & HFP) for float Hoist float mode operation will
mode operation. not be available.
The thumb switch on

the hoist joystick is only
used during float mode
operation, and releases
the hoist brakes.
Fails Closed Upon initial startup, if the switch No effect. 3
has failed closed, it will cause a
fault, and the SIS will remove the
hoist permissives, inhibiting hoist
operation. (SIS software sheet
12)
During normal operation, relay HT

would stay energized, which
would provide a direct input to
the Operators supervisory PLC
that float mode has been
commanded, and provides 1 of 2
“enables” required to energize
relay HFP. (Also requires hoist
pedal relay HP).
As a single failure, would have no

effect.
227
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
For uncommanded float mode

operation, multiple failures would
be required; additional failure of
the hoist pedal foot switch or
relay HP contact failing closed,
the hoist speed select swich must
also be in the “float” position, an
erroneous output from the hoist
float rotary switch, either float
raise or float lower relays failing
closed, and an output from both
float potentiometers.

uncommanded float mode
operation.
Dual Potentiometers –
Hoist speed
• Center tapped No output Hoist speed would be set to zero No effect. 3
(primary) (no motion). Hoist would not
potentiometer outputs a operate.
+/- 10 VDC voltage to
the Hoist Drive DC
Power Module (HDPM),
indicating commanded
speed for hoist
operation.
228
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
High output The hoist would operate faster No effect. 3

than expected, in whichever
direction was selected. The
supervisory system monitors an
equivalent voltage from a
redundant potentiometer. If the
commanded speed and the actual
speed do not agree, the
supervisory PLC’s will remove the
hoist permissives, halting hoist
operation.
With a concurrent failure of the

redundant potentiometer output
to the supervisory system, faster
speed than commanded would
occur.
The SIS monitors the

potentiometers for failure by
ensuring the voltage returns to
zero when the joystick is returned
to the center off position. Also,
see ground rule c, which says the
operator, has sufficient time to
intervene and stop the hoist if a
failure should occur.
The SIS has redundant safety

certified PLC’s.
229
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Low output The hoist would operate slower No effect 3

than expected, in whichever
direction was selected. The
supervisory system monitors an
equivalent voltage from a
redundant potentiometer. If the
commanded speed and the actual
speed do not agree, the
supervisory PLC’s will remove the
operation.
• Center tapped No output The supervisory PLC compares No effect. 3

(secondary) commanded speed to the actual
potentiometer outputs a speed. If the secondary
+/- 10 VDC voltage potentiometer has not output, the
(indicating commanded SIS would consider motion as
speed) to the Operators being uncommanded, and would
Supervisory PLC, slot 1 remove the hoist permissives,
for system monitoring halting hoist operation.
purposes.
230
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
High output The supervisory PLC would think No effect. 3
that a higher speed was
commanded than actually was.
The supervisory PLC would see
that the commanded speed and
actual speed do not agree, and
halting hoist operation.
However, should the primary

potentiometer fail with high
output, or other failure causing
the hoist motor to operate at the
same speed as indicated by the
redundant potentiometer, the
supervisory PLC would see that
the commanded speed and actual
speed are equal and would not
know a failure has occurred.
The SIS monitors the

potentiometers for failure by
ensuring the voltage returns to
zero when the joystick is returned
to the center off position. Also,
see ground rule c, which says the
operator, has sufficient time to
intervene and stop the hoist if a
failure should occur.
The SIS has redundant safety

certified PLC’s.
231
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Low output The supervisory system PLC No effect. 3

compares actual speed with
commanded speed. It would
think that the actual speed is
higher than commanded, remove
the hoist permissives, halting
hoist operation.
HR Relay Energized when the Coil fails open / short Loss of raise direction input to
(Hoist Raise) operator moves the Contact fails open Operator Supervisory PLC. The
(Line 2536) joystick to the right, one input to the Sup. PLC is for fault
normally open relay detection only, and does not
1 normally open contact closes to provide provide a direction command to
contact an indication to the the hoist motor. That is done by
(line 3533) supervisory system that the Hoist Drive Power Module.
hoist motion in the
upward direction has been Itemized failure effects are below.
commanded by the
operator.

functions:
232
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

ensure hoist joystick up This assumes the hoist joystick is
direction is not being in the center “off” position, and
commanded at startup only the direction contact has
(SIS sheet 13) failed closed. The SIS would not
detect a failure of the hoist
joystick raise direction contacts
failing closed since the input to
the SIS is not present. Even
though a direction command is
present, since the joystick is in
the center position, there would
be no speed output from the
potentiometers for motion to
occur.
This would assume the hoist No effect. 3

joystick has failed in an “off
center” position. If the joystick is
not in the center off position, the
enable to the mainline circuit
would not be present, and power
would not be applied to the
system. Therefore no motion
would occur.
233
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

directions (hoist raise and the hoist raise direction input.
lower) are not Should both hoist joystick
simultaneously direction contacts (raise and
commanded at anytime lower) fail closed, then the failure
during system operation would not be detected. Both
(SIS sheet 16) direction commands would be
applied to the HDPM. No motion
would occur.
• Checks for a failure of Potentially, if the hoist joystick No effect. 3

the hoist joystick raise contact has failed closed,
potentiometer, if a voltage but the input to the PLC has failed
is present with neither open, and a potentiometer
direction input present voltage is present, it would not be
(SIS sheet 16) detected. Requires failure of the
hoist joystick (erroneous raise

hoist_cmd_rpm value value for hoist_cmd_rpm. If the
(SIS sheet 18) HR relay contact fails open, the
quickly updated to the correct
value.
234
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Used to detect a float The SIS would detect a float hold No effect. 3
hold fault. Once the fault, remove the hoist
brakes are released, and permissives, halting hoist
there is no command to operation.
move, the SIS verifies
that the load does not
move more than 0.005
inch. (SIS sheet 18)
235
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

(uncommanded motion) So, when hoist raise is
would be removed, halting hoist
operation.

fail closed.)
• Checks that the brake is When hoist raise is commanded, No effect. 3

set if no direction the hoist raise contact would be
command is present (SIS open, and the hoist_brake_fault
sheet 22) (240) would be tripped, since the
brake would be released with no
236
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

If the hoist raise relay contact
inhibiting hoist operation.

When a hoist lower command is
237
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

Should the hoist potentiometer
have a “pot zero” failure, where
there was a voltage output, the
fault would not be tripped, since
the raise input would be present.
However, as soon as a hoist lower
inputs to the SIS would be
present. The SIS would detect a
fault and remove the hoist
permissives, halting hoist
operation.

If a hoist raise command is
on the logic. When a hoist lower
command is issued the logic on
sheet 16 would cause a fault as
both direction inputs would be
provided.
The SIS would not detect a float No effect. 3

hold fault should it occur.
However, as soon as a hoist lower
command is issued, both
commands will be present
simultaneously, and the SIS will
238
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

If a hoist raise command is
on the logic. If a hoist lower
fault as both hoist direction inputs
would be provided. The SIS
would remove the hoist
operation.

constant hoist raise indication.
Should the hoist brakes not set,
the fault would never trip, since a
direction input is always present.
When a hoist lower command is
issued, both direction inputs will
be present, and the logic on sheet
16 will detect the fault, remove
the hoist permissives and halt
hoist operation.
239
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HJR Relay Energized by the hoist Coil fails open / short Unable to provide the enable No effect. 3
(Hoist Joystick Raise) joystick when the operator Contact fails open input to the Hoist Drive Power
(Line 2564) moves the hoist joystick Module for hoist raise operation.
to the raise direction. Unable to operate the hoist in
1 normally open Relay HJR provides a upward direction.
contact single relay contact
(Line 2622) closure to the Hoist Drive
Power Module to enable
hoist upward motion.
Contact fails closed The hoist raise discrete input No effect. 3

would be erroneously applied to
the hoist drive power module.

be required to have
uncommanded motion, as well as
failure of the supervisory system
to detect the failure and remove
the hoist permissives.
240
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HL Relay Energized when the Coil fails open / short Loss of lower direction input to
(Hoist Lower) operator moves the Contact fails open Operator Supervisory PLC. The
(Line 2537) joystick to the left, one input to the Sup. PLC is for fault
normally open relay detection only, and does not
1 normally open contact closes to provide provide a direction command to
contact an indication to the the hoist motor. That is done by
(Line 3534) supervisory system that the Hoist Drive Power Module.
hoist motion in the lower
commanded by the
operator.

functions:
ensure hoist joystick down This assumes the hoist joystick is
direction is not being in the center “off” position, and
commanded at startup only the direction contact has
(SIS sheet 13) failed closed. The SIS would not
detect a failure of the hoist
joystick lower direction contacts
failing closed since the input to
the SIS is not present. Even
though a direction command is
present, since the joystick is in
the center position, there would
be no speed output from the
potentiometers for motion to
occur.
241
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
This would assume the hoist No effect. 3
joystick has failed in an “off
center” position. If the joystick is
not in the center off position, the
enable to the mainline circuit
would not be present, and power
would not be applied to the
system. Therefore no motion
would occur.

directions (hoist raise and the hoist lower direction input.
lower) are not Should both hoist joystick
simultaneously direction contacts (raise and
commanded at anytime lower) fail closed, then the failure
during system operation would not be detected. Both
(SIS sheet 16) direction commands would be
applied to the HDPM. No motion
would occur.
• Checks for a failure of Potentially, if the hoist joystick No effect. 3

the hoist joystick lower contact has failed closed,
potentiometer, if a voltage but the input to the PLC has failed
is present with neither open, and a potentiometer
direction input present voltage is present, it would not be
(SIS sheet 16) detected. Requires failure of the
hoist joystick (erroneous lower
242
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
hoist_cmd_rpm value value for hoist_cmd_rpm. If the
(SIS sheet 18) HL relay contact fails open, the
quickly updated to the correct
value.
• Used to detect a float The SIS would detect a float hold No effect. 3
hold fault. Once the fault, remove the hoist
brakes are released, and permissives, halting hoist
there is no command to operation.
move, the SIS verifies
that the load does not
move more than 0.005
inch. (SIS sheet 18)
243
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

(uncommanded motion) So, when hoist lower is
be triggered, the hoist
permissives would be removed,

fail closed.)
• Checks that the brake is When hoist lower is commanded, No effect. 3

set if no direction the hoist lower contact would be
command is present open, and the hoist_brake_fault
(SIS sheet 22) (240) would be tripped, since the
brake would be released with no
244
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
If the hoist lower relay contact
inhibiting hoist operation.

When a hoist raise command is

Should the hoist potentiometer
have a “pot zero” failure, where
there was a voltage output, the
fault would not be tripped, since
the hoist lower input would be
present. However, as soon as a
hoist raise command is issued,
both direction inputs to the SIS
would be present. The SIS would
detect a fault and remove the
operation.
245
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
If a hoist lower command is
on the logic. When a hoist raise
command is issued the logic on
sheet 16 would cause a fault as
both direction inputs would be
provided.
The SIS would not detect a float No effect. 3

hold fault should it occur.
However, as soon as a hoist raise
command is issued, both
commands will be present
simultaneously, and the SIS will

If a hoist lower command is
on the logic. When a hoist raise
command is issued, no effect as
the logic on sheet 16 would cause
a fault as both hoist direction
inputs would be provided. The
SIS would remove the hoist
operation.
246
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
constant hoist lower indication.
Should the hoist brakes not set,
the fault would never trip, since a
direction input is always present.
When a hoist raise command is
issued, both direction inputs will
be present, and the logic on sheet
16 will detect the fault, remove
the hoist permissives and halt
hoist operation.
HJL Relay Energized by the hoist Coil fails open / short Unable to provide the enable No effect. 3
(Hoist Joystick joystick when the operator Contact fails open input to the Hoist Drive Power
Lower) moves the hoist joystick Module for hoist lower operation.
(Line 2565) to the lower direction. Unable to operate the hoist in
Relay HJL provides a downward direction.
1 normally open single relay contact
contact closure to the Hoist Drive
(Line 2624) Power Module to enable
hoist downward travel.
Contact fails closed The hoist lower discrete input No effect. 3

would be erroneously applied to
the hoist drive power module.

be required to have
uncommanded motion, as well as
failure of the supervisory system
to detect the failure and remove
the hoist permissives.
247
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HC Relay The Hoist Drive Power Coil fails open / short Unable to apply 460 VAC power No effect. 3
(Hoist Contactor) Module energizes relay to the Hoist Drive Power Module
(Line 2512) HDPR (Hoist Drive Ready or provide the “hoist enable”
for Power). Relay HDPR discrete input to the hoist drive
2 normally open in turn energizes relay HC. power module. Unable to operate
contacts the hoist in either direction.
Relay HC applies 460 VAC
power to the HDPM to
operate the hoist motor,
and a single contact closes
to provide an enable
(along with relay contact
HNE) to energize 3 relays;
Relay HE (Hoist Enable),
and the 2 hoist brake
release relays (HB1C and
HB2C).
(Line 1111) Applies 3-phase, 460 VAC Contact fails open Unable to apply power to the No effect. 3
power to the Hoist Drive hoist drive power module.
Power Module for hoist Unable to operate the hoist in
motor operation. either direction.
Contact fails closed Power would be applied to the No effect. 3

hoist drive power module.
However, to have uncommanded,

undetected motion would require
multiple additional failures.
248
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 2515) Provides an enable (along Contact fails open Unable to provide the enable to No effect. 3
with relay contact HNE) to energize relays HNE and release
energize relay HE (Hoist the hoist brakes. Unable to
Enable), and HB1C & operate the hoist in either
HB2C (Hoist brake release direction.
relays).
Contact fails closed No effect by itself. However, with No effect. 3

a concurrent failure of relay HNE
contact failing closed, would
energize relay HE, providing an
enable to the hoist drive power
module.
However, additional failures

would be required to have
uncommanded, undetected hoist
motion.
HE Relay Energized by two series Coil fails open / short Unable to provide the enable No effect. 3
(Hoist Enable) relay contacts, relay HNE Contact fails open input to the Hoist Drive Power
(Line 2514) (Hoist Not E-Stop) and Module. Unable to operate the
relay HC (Hoist hoist in either direction.
1 normally open Contactor). Relay HE
contact provides a discrete input
(Line 2613) to the Hoist Drive Power
Module to allow hoist
operation.
249
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed Erroneous enable indication No effect. 3
provided to Hoist Drive Power
Module (HDPM).
Hoist drive would be enabled for

motion, however multiple
additional failure would be
required to have uncommanded
motion, as well as the supervisory
system failure to detect
uncommanded motion and
remove the hoist permissives to
halt hoist motion.
HPR Relay Relay not currently used. N/A N/A N/A N/A
(Hoist Power Relay)
(Line 2664)
HDRP Relay This relay is energized by Coil fails open / short Unable to energize Hoist No effect. 3
(Hoist Drive Ready an output from the Hoist Contactor relay HC, which applies
for Power) Drive Power Module. 3-phase power to the Hoist Drive
(Line 2676) When energized, the relay Power Module and provides 1 of 2
closes a single relay enables for Hoist Enable relay HE.
1 normally open contact, energizing relay Unable to operate the hoist.
contact HC (Hoist Contactor).
(Line 2512)
250
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed Hoist contactor relay HC would No effect. 3
stay energized, providing power
to the Hoist Drive Power Module.
Relay HC also provides a relay
contact closer for Hoist Enable.
However, the Hoist Enable would
not be energized since it also
requires a relay HNE contact
closure as well.
Uncommanded hoist motion

would require multiple additional
failures.
HDRPS Power Supply 120 VAC / 24 VDC power No / Low output Unable to energize relays HB1 No effect. 3
supply, provides power to and HB2 to release the hoist
(Line 2667) the T100 Technology brakes. HB1C & HB2C provide a
Board in the Hoist Drive relay contact closure to the crane
Power Module. The power supervisory PLC for monitoring.
is used to energize relays Supervisory PLC would remove
HB1 & HB2 (Hoist brake 1 the hoist permissives, halting
& 2 release relays). hoist operation. Unable to
operate the hoist.
High output Potential damage to the HDPM No effect. 3

T100 Technology Board or the
HB1 or HB2 relays.
251
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HDPM Hoist Drive Power Accepts operator No output to Hoist Motor If upon initial startup, the hoist No effect. 3
Module commands from the Hoist would not operate.
Joystick (via relays for
speed and direction, However, if the failure occurred
releases the hoist brake during a lifting operation, the SIS
(via relay logic) and drives compares the hoist drive load
hoist motor in the torque to the load cell value (SIS
commanded speed and software sheet 35). If these two
direction values are not within 1% of each
other, a fault will cause the SIS
During normal operation, PLC to generate a fault
the power module stores (hoist_load_fault), which will
the last value of the cause the SIS to remove both
voltage and current hoist permissives, and halt hoist
provided to the motor. operation. The hoist brakes will
When the hoist is set, safing the load.
commanded again, these
values are used (instead Should the load cell value also fail
of starting from 0), to with no output, then the load
provide an almost would start to descend. The SIS
instantaneous torque for would detect hoist motion in a
the motor. direction other than commanded,
and halt hoist operation.

undetected lowering of the load.
252
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Low torque value provided The requirement is that the load No effect. 3
to hoist motor will not descend more than .005
of an inch when being lifted,
before the motor torque provides
enough torque to sustain the
load. The hoist motor provides
feedback to the hoist power
module of its voltage and current.
The secondary motor encoder
and Selsyn provides hoist motor
speed and direction information
to the supervisory PLC for
monitoring.
Should the power module not

supply enough voltage to the
hoist motor to sustain the load,
the supervisory PLC will detect a
fault in the hoist direction,
remove the hoist permissives and
halt hoist operation.
The SIS system is a redundant,

safety certified PLC.

undetected lowering of the load.
253
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
High torque value The hoist would provide a higher No effect. 3
provided to hoist motor voltage than required to operate
the hoist motor, which would
cause it to operate faster than
commanded.
The hoist joystick has a

redundant potentiometer, which
provides a speed input to the
supervisory PLC for monitoring
purposes. The SIS system would
detect speed faster than
commanded, and remove the
operation. The SIS system is a
redundant, safety certified PLC.

undetected speed faster than
commanded.
254
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous high torque The Crane Supervisory PLC No effect. 3
value output provided to compares the host drive torque
Crane Supervisory PLC. value with the load cell value. If
the difference between the two is
greater than 1%, it will generate
a hoist load fault, causing both
supervisory PLC’s to remove the
hoist permissives (HCSP & HSP),
Should both values fail high (the

same amount), or the crane
supervisory PLC fail high (both
inputs go to the same module),
then higher torque than required
would occur.

detect speed faster than

commanded.
255
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous low torque The hoist drive output is No effect. 3
value output provided to compared to the load cell output.
Crane Supervisory PLC IF the delta between the two is
more than 1%, a fault will be
generated, and the SIS PLC will

detect speed is not as

commanded.
256
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Drives hoist motor in The hoist motor has 2 motor No effect. 3
wrong direction encoders and a Selsyn to monitor
motor speed and direction. One
encoder provides feedback to the
Hoist Drive Power Module, one
encoder provides motor speed
and direction information to the
Crane Supervisory PLC, Slot 3,
and the Selsyn provides motor
Operators Supervisory PLC, Slot
4.
The Crane Supervisory PLC. Slot

3, monitors the secondary motor
encoder output. If the encoder
value is of the opposite sign, the
PLC will remove its permissive
and halt crane operations.
The SIS system consists of

redundant, safety certified PLCs.

undetected motion in the wrong
direction.
257
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Drives hoist motor at a The hoist joystick has a No effect. 3
speed greater than redundant potentiometer, which
commanded provides a speed input to the
purposes.
The Crane Supervisory PLC. Slot

3, monitors the Secondary Motor
Encoder Output. If the encoder
speed is greater than the
commanded speed, the PLC will
remove its permissive and halt
crane operations.
The SIS system would detect

speed is not as commanded, and
halting hoist operation. The SIS
system consists of redundant,
safety certified PLCs.

commanded.
Drives hoist motor at Hoist motor would operate slower No effect. 3

speed less than than required.
commanded
258
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Inadvertent output The hoist joystick has a No effect. 3
causing hoist motor redundant potentiometer, which
operation in either provides a speed input to the
direction supervisory PLC for monitoring
purposes. The secondary motor
encoder and Selsyn provide
motor speed and direction
information to the Supervisory
PLC as well.
The Supervisory system PLC’s

compare commanded speed and
direction to actual speed and
direction. If they are not equal,
the PLC will remove the hoist
operation.
The SIS system would detect

uncommanded motion has
occurred, remove the hoist
permissives halting hoist
operation. The SIS system
consists of redundant, safety
certified PLCs.

undetected motion.
259
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
The primary motor Internal failure resulting in Potential for the hoist drive power No effect. 3
encoder provides loss of, or corrupted, hoist module to drive the hoist motor
feedback to the hoist primary motor encoder at a different speed or direction
power module for motor data. than commanded.
control.
The Supervisory system PLC’s
compare commanded speed and
direction to actual speed and
direction. If they are not equal,
the PLC will remove the hoist
operation. Both supervisory PLC’s
would have to fail.


undetected hoist motor speed or
direction.
260
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Brake release is monitored Fails to issue Brake There is an input to the hoist No effect. 3
by the supervisory PLC, release command power module for a “hoist brake
but only for float mode ack”. When the Hoist Drive
operation. There is no Power Module outputs the
Supervisory software command to release the hoist
check that the brakes are brakes, 2 relays are energized
released for normal hoist (HB1 and HB2), which in turn
operation, other than the energize two relays (HB1C and
“hoist brake ack” input to HB2C). These two relays actually
the hoist drive power release the hoist brakes and
module. provide the “acknowledge” input
back to the hoist drive power
module that the brakes are
released.
If the hoist drive power module

fails to issue the command to
release the brakes, the
“acknowledge” input will not be
present, and the hoist drive
power module will not permit
hoist motor operation.
261
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous brake release Relays HB1 and HB2 would be No effect. 3
command issued energized, which would energize
relays HB1C and HB2C, releasing
the hoist brakes, allowing the
load to descend.
Inputs would be provided to the

HDPM hoist brake
acknowledgement (Line 2618)
and to the Crane Supervisory
PLC.
If the brakes are released with no

motion commanded, the
Supervisory PLC’s will detect
halting hoist operation. The hoist
brakes would set upon loss of
power. The SIS can detect
motion within .005 inch.
Fails to acknowledge If the hoist drive power module No effect. 3

Brake release command fails to acknowledge the brake
release, then it will not allow hoist
operation.
262
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous brake Should the HDPM fail, where the No effect. 3
acknowledge T100 board fails with an
erroneous brake
acknowledgement, indicating that
the hoist brakes were released,
no action would result. There
would have to be a speed and
direction input as well to have
uncommanded motion. Even if
uncommanded motion were to
occur, the Supervisory PLC would
detect this, remove the hoist
operation.
263
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Load Cell
HLCD Hoist Load Cell Provides the crane No output The SIS compares the Hoist drive No effect. 3
Display operator with a visible measured load to the load cell
display of the weight on value and, if the difference
the hook. between the two values is not
less than 10% of the rated load
when either load value is above
10% of the rated load, then a
“hoist_load_fault” will be
detected, and the SIS will remove
hoist operation.
Should the load cell and the

HDPM both fail with similar
values, then the SIS would detect
another fault, either speed
greater than commanded or
motion in the wrong direction,
remove the permissives and halt
hoist operation.
264
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous output The SIS compares the Hoist drive No effect. 3
measured load to the load cell
value and, if the difference
between the two values is not
hoist operation.
Should the load cell and the

HDPM both fail with similar
values, then the SIS would detect
another fault, either speed
greater than commanded or
motion in the wrong direction,
remove the permissives and halt
hoist operation.
HLAO Hoist Load Analog The load cell supplies a No output The SIS compares the Hoist drive No effect. 3
Output signal to the hoist load measured load to the load cell
analog output, which value and, if the difference
outputs a 0 –10 VDC between the two values is not
signal to the Crane less than 10% of the rated load
Supervisory PLC, slot 1, when either load value is above
which corresponds to the 10% of the rated load, then a
weight on the hoist hook. “hoist_load_fault” will be
detected. The SIS will remove
the hoist permissives (HCSP &
HSP), causing the hoist to cease
operation.
265
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Low output The SIS compares the Hoist drive No effect. 3

High output measured load to the load cell
hoist operation.
The hoist load analog output is a

monitor function only and does
not control the hoist motor in any
way.
HLP Hoist Load Pin Converts the mechanical No output The SIS compares the Hoist drive No effect. 3
load (weight) into an measured load to the load cell
electrical signal, which is value and, if the difference
applied to the HLAO between the two values is not
module for output to the less than 10% of the rated load
Crane Sup. PLC, slot 1. when either load value is above
The intent is to ensure the “hoist_load_fault” will be
HDPM is producing detected. The SIS will remove
enough motor torque to the hoist permissives (HCSP &
hold the load. HSP), causing the hoist to cease
operation.
266
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
High output The SIS compares the Hoist drive No effect. 3
Low output measured load to the load cell
detected. The SIS will remove
the hoist permissives (HCSP &
HSP), causing the hoist to cease
operation.
The hoist load analog output is a

monitor function only and does
not control the hoist motor in any
way.
267
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Hoist Motor Encoders and Selsyn
HST Selsyn Transmitter Converts hoist motor drive No output Loss of Selsyn data to the Op. No effect. 3
(Hoist) shaft speed and direction Sup. PLC will generate a fault
is sent to the Hoist Selsyn hoist permissives, halting hoist
receiver in the crane operation. The supervisory PLC
operators cab to measure also compares the secondary
Hoist motor drive shaft motor encoder to the joystick
distance traveled and secondary potentiometer output
direction for display on the to detect for speed greater than
distance display and is commanded, operation in the
provided to the Operators wrong direction, or motion
Supervisory PLC for without being commanded.
monitoring purposes.
encoder value to the motion.
Selsyn value, and if the
difference between the The SIS system consists of
two values is > 0, causes redundant, safety certified PLCs.
a fault to occur (based on
speed select switch
position).
268
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous output (high or The SIS software compares hoist No effect. 3

low) secondary motor encoder data to
the Selsyn data. If they are not
equal, the software generates a
fault and halts hoist operation.
could occur. However, the hoist
for error checking.

motion.
269
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HSR Selsyn Receiver Receives an electrical No output Loss of Selsyn data to the Op. No effect. 3
(Hoist) signal representing hoist Sup. PLC will generate a fault
direction, and drives a hoist permissives, halting hoist
shaft connected to a dial operation. The supervisory PLC
gage to indicate direction also compares the secondary
and amount of travel. A motor encoder to the joystick
signal is also provided to secondary potentiometer output
the Hoist Selsyn encoder to detect for speed greater than
(HSE) and amplifier commanded, operation in the
(HSEA) for display on a wrong direction, or motion
digital distance display without being commanded.
and to the Operators
supervisor PLC, slot 4. Multiple failures required for
undetected failure resulting in
Used by the SIS for 1 speed or direction failure or
function only. Compares uncommanded motion.
the secondary motor
encoder to the Selsyn The SIS system consists of
value, and if the difference redundant, safety certified PLCs.
occur based on speed
select switch position.
270
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous output (high or The SIS software compares hoist No effect. 3

low) secondary motor encoder data to
the Selsyn data. If they are not
equal, the software generates a
fault and halts hoist operation.
could occur. However, the hoist
for error checking.

10 Gear Belt Drives the hoist Selsyn Breaks or slips The hoist Selsyn display would no No effect. 3
receiver encoder and longer rotate, or operate
Selsyn display in the crane erratically and loss of, or erratic
cab. hoist Selsyn encoder data to the
supervisory PLC would occur.
Loss of data, or erratic data would
be detected by the SIS PLC and
cause hoist operation to halt.
271
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HSE Selsyn Encoder Dual quadrature channels, No output Loss of Selsyn data to the Op. No effect. 3
(Hoist) ½ cycle index, 1024 Sup. PLC. Supervisory PLC &
Driven by the Hoist Selsyn and halt hoist operation.
receiver output shaft,
senses the relative motion The supervisory PLC also
of the Selsyn shaft, which compares the hoist motor
is equivalent to the hoist encoder and joystick
drive shaft direction and potentiometer output to check for
speed. Outputs 2 speed greater than commanded,
channels of data, A and B, travel in the wrong direction, or
to Hoist Selsyn Encoder uncommanded motion.
Amplifier (HSEA).
Depending on which The SIS supervisory system has
channel is leading or redundant, safety certified PLC’s.
lagging, indicates motor
rotation direction. Multiple failures required.
digital display for the software generates a fault and
operator to make very halts hoist operation. However,
small incremental should the secondary motor
movements (1/64th of an encoder have a concurrent
inch) as required. failure, speed greater than
would be possible with another
failure.
272
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HSEA Sensor Encoder Accepts motor speed and No output Loss of Selsyn data to the Op. No effect. 3
Amplifier (Hoist) direction data from the Sup. PLC. Supervisory PLC &
Hoist Selsyn Encoder software would detect loss of data
(HSE), and provides and halt hoist operation.
outputs to the Hoist
Distance Display (HDD) The supervisory PLC also
and to the Operators compares the hoist motor
Supervisor PLC, slot 4. encoder and joystick
Used by the SIS for 1 potentiometer output to check for
function only. Compares speed greater than commanded,
the secondary motor travel in the wrong direction, or
encoder to the Selsyn uncommanded motion.
between the two values is Multiple failures required.
occur based on speed
select switch position.
273
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
operator to make very low) Sup. PLC and hoist distance
movements (1/64th of an the hoist farther than required.
inch) as required.
fault will cause hoist permissives
to be removed, halting hoist
operation.

compares the hoist motor
uncommanded motion.
274
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HDD Hoist Distance Digital display, driven by No output to display Loss of visual indication to crane No effect. 3
Display the Hoist Sensor Encoder operator. Operator would stop
Amplifier (HSEA), that hoist and halt crane operations.
displays the gross hoist
distance traveled.

the hoist in 1/64 inch
increments.
a. Erroneous electronic The operator could move the No effect. Correcting action 3
display hoist farther than required. prevents impact of load with
b. Electrical failure, burn Should the potential exist to run structure / personnel, and
out of display the load into something, the loss of life.
segment(s). observer could hit the e-stop to
c. N/A halt hoist operation. Selsyn dial
d. Observer indicator provides a redundant
with structure is
imminent
f. > 3 seconds
g. <= 3 seconds
275
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Hoist Load Bypass
None Manual Load Set Enables the crane operator to provide a manual input to the Hoist Drive Power Module (HDPM) to pre-set a motor torque
Switch (keyed) value. This is only used to allow the hoist to lower the load in event of a load cell failure. This allows the motor to start at
On / off switch a pre-set torque instead of having to start out from 0 torque, which permits the motor to assume the load quicker.
(Line 2529)
Keyed off switch Energizes relay HLB (Hoist Fails open Unable to provide the indication No effect. 3
position Load Bypass), which to the HDPM that an operator
provides an input to the selected load value will be
HDPM, that an operator- provided. Unable to operate the
selected load will be hoist in load bypass mode.
provided.
Fails closed Unable to disable the load bypass No effect. 3
mode. The HDPM will use the
rheostat value, and will use this
value the next time the hoist
motor is operated. The SIS will
detect an error if the rheostat
preset is not within approx 10%
of the load.
None Rheostat Allows the operator to No output (Fails open) Unable to lower the load. No effect. 3
apply a voltage to the
Hoist Drive Power Module
Erroneous output, High or If the voltage is the same as the No effect. 3
(HDPM) that is equivalent
low load, the load will initially remain
to the current load, to
stationary. If the voltage is not
allow lowering of the load.
close enough to simulate the load
Only used in event of load
cell value, the hoist will roll up or
cell failure.
down, depending on if the voltage
is higher or lower than required.
The SIS will detect this as an
error condition, and halt
operation.
276
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HLB Relay Energized when the Coil fails open / short Unable to utilize the hoist load No effect. 3
(Hoist Load Bypass) operator utilizes the keyed bypass function. Unable to
(Line 2529) load set switch, which sets operate the hoist.
a pre-torque for the hoist
2 normally open motor. This allows the
contacts hoist motor to start at a
pre-set torque instead of
start from 0 torque and
spooling up to the
required torque to support
the load.
Only used in event of a

load cell failure, to lower
the load.
(Line 2572) Energizes relay HLR, Contact fails open Unable to utilize the hoist load No effect. 3
which provides a discrete bypass function. Unable to
input to the HDPM, to operate the hoist.
indicate user selected pre-
load has been selected.
Contact fails closed Relay HLR (Hoist Load Relay) No effect. 3

would stay energized, providing
an input to the HDPM, indicating
that the load reference would be
provided by the operator.
The HDPM will not operate

without the input from the Manual
Load Set switch.
277
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Line (3539) When the Hoist load Contact fails open Unable to disable the No effect. 3
Bypass Switch is utilized, “hoist_load_fault”. Unable to
relay HLB (Hoist Load operate the hoist.
Bypass) is energized. This
contact provides a
discrete input to the
Operators supervisory
PLC, slot 5, to indicate
that the hoist load bypass
has been activated. This
input is used by the
supervisory PLC for one
function only (sheet 42).
It disables the hoist load
fault detection function,
since it is used only in
event of a load cell failure.
Permits lowering of the
load in event of a load cell
failure, without tripping a
fault.
278
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed The hoist load fault detection No effect. 3

would be disabled. Should a load
fault occur, the SIS would not be
able to detect the failure and
remove the hoist permissives.
Would require a prior failure of

the load cell or the output of the
HDPM torque value.
If a load cell / torque value failure

did occur, and it was not
detected, if the load was being
lifted, then motion in the opposite
direction would be detected, or if
the load was being lowered,
would be detected, and the SIS
would remove the hoist
operation.
279
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HLR Relay Energized by relay HLB Coil fails open / short Unable to utilize the hoist load No effect. 3
(Hoist Load Relay) when the crane operator Contact fails open bypass function. Unable to
(Line 2572) uses the manual load set operate the hoist.
switch to select a pre-load
1 normally open for the hoist motor torque.
contact
(Line 2610) Provides a discrete input
to the HDPM to indicate
user selected pre-load is
enabled.
Contact fails closed The HDPM will not operate No effect. 3
without the input from the Manual
Load Set switch.
280
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Hoist Speed Select
None Speed Select switch Selects fine, coarse speed Fails open in fine speed The assumption is that either No effect. 3
3 position or hoist hold (Float) for position coarse speed or float mode is the
(Line 2526) hoist operation. Switch current operating mode, and the
operation energizes switch fails open as the operator
relays, which provide attempts to select fine speed.
relay contact closure to
the Operators Supervisory With neither fine or coarse speed
PLC, slot 5, and to input present, the hoist drive
energize additional relays, power module will operate in fine
which provide speed speed by default. There is no fine
range selection to the speed input to the HDPM, only
Hoist Drive Power Module coarse and float.
(HDPM).
The SIS software will generate a
There is no input to the fault if no input from any of the
HDPM for fine speed since three switch positions is present.
it is the default speed. In When a fault is detected, the SIS
the absence of coarse will remove the hoist permissives,
speed, fine is the default. halting hoist operation.
However, an input is
provided to the SIS when
fine speed is selected.
Inputs are provided to
both the HDPM and SIS
for coarse and hoist hold
(float) operation.
281
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Fails closed in fine speed The hoist would operate in fine No effect. 3
position speed only.
The SIS software performs a

check for any two of the switch
inputs being present
simultaneously. If any two inputs
are detected, the SIS will
generate a fault, and the SIS will
282
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Fails open in coarse speed The assumption is that either fine No effect. 3
position speed or float mode was
previously selected, and the
switch fails open as the operator
attempts to select coarse speed.
If the hoist were operating in fine

speed, and the operator
attempted to select coarse speed,
then hoist operation would
continue in fine speed since fine
speed is the HDPM default, and
no input to the HDPM is required
to operate in fine speed. The SIS
software would continue checking
for fine speed since fine speed is
assumed if neither speed is
present.

fault if no input from any of the
three switch positions is present.
When a fault is detected, the SIS
will remove the hoist permissives,
283
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Coarse speed position) for hoist operation when required. rule 3.c that says operator is
b. Mechanical failure, required to switch to slow
welded contacts The HDPM and the Operators speed within 10 feet of
c. N/A Sup. PLC will continue to get a structure (or any other
d. Operator will have to coarse (fast) speed input. Hoist object), which will give
notice that hoist speed will continue motion in fast speed. adequate time to intervene if
did not change as a failure occurs.
commanded.
e. Move joystick to off Correcting action prevents
position, or press e- loss of life or damage to flight
stop hardware.
f. > 3 seconds
g. <= 3 seconds
Fails open in float position Unable to operate the hoist in No effect. 3

float mode.

fault if no input from any of the
three switch positions is present.
When a fault is detected, the SIS
will remove the hoist permissives,
284
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Fails closed in float Unable to exit hoist float mode No effect. 3
position and enable normal hoist
operation. Once the thumb
button and foot pedal is released,
and the float pot is returned to
the off position, the brakes are
set and the load is safe.
Normal hoist operation will not be

available.
Hoist Fine Speed

HFS Relay This relay is energized Coil fails open / short The SIS software will generate a No effect. 3
(Hoist Fine Selected) when the hoist speed Contact fails open fault if no input from any of the
(Line 2526) select switch is in the fine three switch positions is present.
speed position. When When a fault is detected, the SIS
1 normally open energized, the relay closes will remove the hoist permissives,
contact a contact to provide an halting hoist operation.
(Line 3538) input to the Operators
Supervisory PLC, Slot 5,
to indicate that hoist fine
speed is selected by the
operator. There is no
intermediate relay to
In the absence of coarse
speed or float inputs, fine
speed is the default speed
range.
285
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed The hoist would operate in fine No effect. 3
speed only.

check for any two of the switch
inputs being present
Hoist Coarse Speed
HCS Relay This relay is energized Coil fails open / short The SIS software will generate a No effect. 3
(Hoist coarse speed when the hoist speed fault if no input from any of the
selected) select switch is in the three switch positions is present.
(Line 2527) coarse position. When When a fault is detected, the SIS
energized, the relay closes will remove the hoist permissives,
2 normally open 2 contacts as described halting hoist operation.
contacts below.
Line 2569 & 3537
(Line 2570) Energizes Relay HCR Contact fails open Unable to command the HDPM to No effect. 3
(Hoist Coarse Relay) operate in coarse speed. Fine
which in turn provides an speed is the default speed.
input to the Hoist Drive
Power Module (HDPM)
that coarse speed is
selected by the operator.
286
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed The HDPM would continuously be No effect. 3
provided a coarse speed
command.
If fine speed were commanded,

the SIS would detect a delta
between the actual speed and the
commanded speed, remove the
hoist permissives, and halt hoist
operation.
No effect if float mode is

commanded.
(Line 3537) Provides an input to the Contact fails open The SIS software will generate a No effect. 3
Operators Supervisory fault if no input from any of the
PLC, slot 5, to indicate three switch positions is present.
that coarse speed is When a fault is detected, the SIS
selected by the operator will remove the hoist permissives,
for hoist motor operation. halting hoist operation.

287
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed The SIS software performs a No effect. 3

check for any two of the hoist
speed switch inputs being present

Both relay contacts fail A coarse speed command would No effect. 3

closed continue to be provided to both
the hoist drive power module and
the supervisory PLC.

check for any two of the hoist
speed switch inputs being present

288
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HCR Relay Energized by relay HCS Coil fails open / short The assumption is that either fine No effect. 3
(Hoist Coarse Relay) when Speed range select Contact fails open or high speed was selected, and
(Line 2569) switch is placed in coarse the operator attempts to select
speed position. Provides coarse speed.
1 normally open an input to the Hoist Drive
contact Power Module to indicate If the hoist were operating in fine
Line 2620 coarse speed is selected speed, and the operator
for hoist motor operation. attempted to select coarse speed,
then hoist operation would
continue in fine speed since fine
speed is the HDPM default, and
no input to the HDPM is required
to operate in fine speed. Hoist
would continue to operate in fine
speed. Operation in a speed
slower than commanded is a non-
critical failure. No fault would
occur.
289
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed This relay contact provides an No effect. 3
input to the HDPM to enable hoist
motor coarse speed operation.
If fine speed is selected, the hoist

would operate in coarse speed, as
no fine speed input is provided to
the HDPM. The fine speed select
switch energizes relay HFS, which
provides an input to the
supervisory PLC to indicate fine
speed is commanded. The HDPM
would operate the hoist motor in
coarse speed, the supervisory
PLC would be expecting fine
speed, and would detect a delta
between actual and commanded
speed, remove the hoist
operation.
Hoist Float
HHS Relay This relay is energized Coil fails open / short Unable to operate hoist in float No effect. 3
(Hoist Hold Selected) when the hoist speed mode.
(Line 2528) select switch is in the float
position. When energized,
2 normally open the relay closes 2 contacts
contacts as described below.
290
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 2571) Energizes Relay HHR Contact fails open Unable to operate hoist in float No effect. 3
(Hoist Hold Relay) which mode.
in turn provides an input
to the Hoist Drive Power
Module (HDPM) that float
mode is selected by the
operator.
Contact fails closed Relay HHR would remain No effect. 3

energized, which would provide
the float speed input to the
HDPM.
If hoist coarse speed is

commanded, two speed inputs
will be provided to the HDPM.
Either the HDPM would not
operate, or it will operate at float
speed.
If hoist fine speed is commanded,

no speed input is provided to the
HDPM. The HDPM will operate at
float speed when fine speed is
commanded.
291
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 3536) Provide an input to the Contact fails open Unable to operate the hoist in No effect. 3
Operators Supervisory float mode.
PLC, slot 5, to indicate
that float mode is selected However, the SIS software
by the operator. checks for neither of the 3 speed
inputs being present. If no speed
input is present, the SIS software
will detect a
“hoist_no_spd_sel_flt”, and
Contact fails closed The input to the SIS would be No effect. 3

failed on.
The SIS software checks for the

presence of two simultaneous
inputs.
When either fine or coarse speed

is selected, two inputs will be
present simultaneously, and the
SIS will detect a
“hoist_speed_sel_fault” and
removes the hoist permissives,
292
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HHR Relay Energized by relay HHS Coil fails open / short Unable to operate the hoist in No effect 3
(Hoist High Relay) when hoist speed range Contact fails open float mode.
(Line 2571) select switch is placed in
float position. Provides an However, the SIS software
1 normally open input to the Hoist Drive checks for neither of the 3 speed
contact Power Module to indicate inputs being present. If no speed
Line 2621 float speed is selected. input is present, the SIS software
will detect a
“hoist_no_spd_sel_flt”, and
Contact fails closed The input to the SIS would be No effect. 3

failed on.
The SIS software checks for the

presence of two simultaneous
inputs.
When either fine or coarse speed

is selected, two inputs will be
present simultaneously, and the
SIS will detect a
“hoist_speed_sel_fault” and
removes the hoist permissives,
293
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Hoist Limit Switches

Upper Limit
Switches
HWLS Limit Switch, Final limit switch for Fails open The weighted limit switch is wired No effect. 3
Weighted limiting upward hoist in the Mainline Control startup
Normally Closed travel to prevent two- circuit. While closed, it provides
(Line 638) blocking the hoist, an “enable” to allow the hoist
breaking the wire rope circuit to be “turned on”. Should
and dropping the load. the limit switch fail open, the
hoist could not be turned on and
The limit switch will open, would not operate.
removing control power to
the hoist mainline control
Fails closed The weighted limit switch is the No effect. 3
circuit relays CCR2 and
final limit switch to stop hoist
MIX, halting hoist
travel in the upward direction. If
operation.
it failed closed, the hoist would
continue upward travel and two-
block, potentially breaking the
wire rope and dropping the load.
Would require a previous failure

of the hoist geared limit switch or
relay HUS contact failing closed,
and either a control failure
resulting in failure of hoist to stop
motion, or operator error.
294
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HGULS Limit Switch First limit switch for Fails open Unable to operate the hoist in the No effect. 3
(Hoist Geared Upper limiting upward hoist upward direction. No effect on
Limit switch) travel to prevent two- hoist lower operation.
blocking the hoist,
(Line 2518) breaking the wire rope
and dropping the load.
The geared limit switch is

wired into the Hoist
Control circuit. Normally
closed, it energizes relay
HUS (Hoist Upper Stop).
Relay HUS then provides
an “enable” to the Hoist
Drive Power Module
(HDPM) for hoist raise and
float raise.
295
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
When the limit switch is Fails closed Relay HUS would not be de- No effect. 3
tripped (opened), it will energized to inhibit HDPM raise
cause the hoist to halt operation (normal and float).
operation. Hoist would continue upward
travel.
The final weighted limit switch

would halt hoist operation.
However, if the final limit switch
should also fail, possible to two-
block, breaking the wire rope and
dropping the load.
Would require a prior failure

where the hoist did not cease
operation or operator error to
exceed allowable travel limits.
296
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HUS Relay Provides an enable to Coil fails open/short Unable to operate the hoist in the No effect. 3
(Hoist Upper Stop) allow HDPM operation in Contact fails open upward direction, in either normal
(Line 2518) the upward direction. or float mode.
Halts upward hoist travel,
1 normally open to prevent two-blocking
contact the hoist and dropping the
(Line 2623) load.
The relay is energized as

long as the hoist geared
upper limit switch
(HGULS) is closed
providing an enable to
allow hoist upward travel.
When the Geared Upper

Limit switch has been
tripped, the relay de-
energizes, and removes
an input to the Hoist Drive
Power Module to inhibit
hoist raise operations.
297
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed Should the hoist trip the geared No effect. 3
upper limit switch, the relay
would be de-energized, but the
hoist drive power module would
not have its “raise” enable
removed. Hoist upper travel
would continue.
The final weighted limit switch

would halt hoist operation.
However, if the final limit switch
should also fail, possible to two-
block, causing the wire rope to
break and dropping the load.
Would require a prior failure

where the hoist did not cease
operation or operator error to
exceed allowable travel limits.
298
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Lower Limit
Switch
HGLLS Limit Switch Limits downward hoist Fails open The geared limit switch is wired No effect. 3
(Hoist Geared Lower travel to prevent reverse into the Hoist Control circuit.
Limit Switch) winding of the wire rope While closed, it energizes relay
Line 2520 from the drum. HLS (Hoist Lower Stop). Relay
HLS then provides an “enable” to
the Hoist Drive Power Module
(HDPM) for Joystick lower and
float lower.
Hoist would not operate in the

lower direction.
Fails closed Hoist would continue downward No effect. 3

travel, possibly causing reverse
winding of the wire rope from the
drum. Possible damage to the
wire rope.
299
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HLS Relay Limits downward hoist Coil fails open/short Unable to operate the hoist in the No effect. 3
(Hoist Lower Stop) travel to prevent reverse Contact fails open downward direction in either
(Line 2520) winding of the wire rope normal or float mode. No effect
from the drum. on hoist raise direction operation.
1 normally open
contact The relay is energized as
Line 2624 long as the Hoist Geared
Lower Limit Switch
(HGLLS) is closed. When
the HGLLS has been
tripped, the relay de-
energizes, and removes
the enable input to the
Hoist Drive Power Module
for hoist joystick and float
lower command inputs,
inhibiting hoist lower
operations.
Contact fails closed Hoist would continue downward No effect. 3
travel, possibly causing reverse
winding of the wire rope from the
drum. Possible damage to the
wire rope.
300
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Hoist Brakes
HB1 Relay Energized by the Hoist Coil fails open Unable to energize relay HB1C to No effect. 3
(Hoist Brake 1) Drive Power Module, Contact fails open release hoist brake #1 and enable
(Line 2669) serves as a command to HDPM operation. Unable to
release hoist brake 1. operate the hoist.
1 normally open
contact When HB1 is energized,
(Line 2515) its contact then energizes
relay HB1C, which actually
applies power to hoist
brake #1 to release it.
The SIS monitors for hoist

brake status (set /
released).
Both hoist brakes are
released simultaneously,
but separately, by the
301
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed Relay HB1C would remain No effect. 3
energized, which would keep
hoist brake #1 released.
The “hoist brake ack” input to the

HDPM would be removed by
series relay contact HB2C, which
would inhibit the HDPM from
operating.
Hoist brake #1 would be

released, but hoist brake #2
would be set. Each brake is
independently capable of holding
the load. Should brake #2 fail to
set, then the load would be
allowed to descend, but the SIS
would detect uncommanded
motion and remove the hoist
operation.
In addition, the SIS, sheet 22,

checks that with no motion
commanded, if either brake is
released (not set) it will trip the
“hoist_brake_fault”, causing the
SIS to remove the hoist
operation.
302
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HB2 Relay Energized by the Hoist Coil fails open Unable to energize relay HB2C to No effect. 3
(Hoist Brake 2) Drive Power Module, Contact fails open release hoist brake #2 and enable
(Line 2670) serves as a command to HDPM operation. Unable to
release hoist brake 2. operate the hoist.
1 normally open
contact When HB2 is energized,
(Line 2517) its contact then energizes
relay HB2C, which actually
applies power to hoist
brake #2 to release it.
The SIS monitors for hoist

brake status (set /
released).
Both hoist brakes are
released simultaneously,
but separately, by the
303
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed Relay HB2C would remain No effect. 3
energized, which would keep
hoist brake #2 released.
The “hoist brake ack” input to the

HDPM would be removed by
series relay contact HB1C, which
would inhibit the HDPM from
operating.
Hoist brake #2 would be

released, but hoist brake #1
would be set. Each brake is
independently capable of holding
the load. Should brake #1 fail to
set, then the load would be
allowed to descend, but the SIS
motion and remove the hoist
operation.
In addition, the SIS, sheet 22,

checks that with no motion
commanded, if either brake is
released (not set) it will trip the
operation.
304
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HB1C Relay The Hoist Drive Power Coil fails open Both hoist brakes are released No effect. 3
(Hoist Brake 1 Module will initiate release simultaneously, but separately,
Contactor) of the hoist brakes by by the Hoist Drive Power Module.
(Line 2515) energizing relay HB1.
When relay HB1 is Unable to release hoist brake #1.
3 normally open energized, it energizes Loss of hoist brake #1 release
contacts HB1C. Relay HB1C has 3 acknowledgement to the Hoist
contact sets as described Drive Power Module. The HDPM
below: will not enable hoist motor
operation. Hoist will not operate.
1 ganged set of 2 • Applies power to hoist Contacts fails open There is no indication from the No effect. 3
contacts brake #1 to release the brake itself to indicate whether
(Line 1170) brake. These 2 contacts the brake is set or released.
complete the electrical Indications of whether the brake
circuit to apply power to is set or released is by additional
energize the hoist brake relay contacts of HB1C to the
coil to release the brake. HDPM and relay HB1R to the SIS
Unable to release hoist supervisory PLC.
brake #1.
The brake would remain set, and
the hoist motor would attempt to
drive through the brake. There is
no SIS check to ensure the brake
is released when motion is
commanded.
305
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contacts fails closed Power would constantly be No effect. 3
applied to Hoist brake #1,
keeping the brake released. Hoist
brake #1 would not be able to
set.
Each brake is independently

capable of holding the load.
Concurrent failure of the relay

contact set for hoist brake #2
would result in neither brake
being able to set.
The SIS, sheet 22, checks that

with no hoist direction command
present, if either brake is released
(not set) it will trip the
operation.
Additionally, the SIS checks for
uncommanded motion. Should
both brakes not set, and the
above check fail, additional SIS
software would detect
remove both hoist permissives,
causing the mainline power to be
removed, halting crane operation,
and allowing the brakes to set.
306
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
undetected brake release and
motion.
(Line 2573) • This contact energizes Contact fails open When the contact is open, relay No effect. 3
relay HB1R (Hoist Brake HB1R would be de-energized, and
1 Relay). This relay the input to the SIS would not be
provides an input to the present, which would indicate
Crane supervisory PLC that hoist brake #1 is set.
(SIS) as an indication of
hoist brake #1 status Unable to provide input to the SIS
(open=set or that hoist brake #1 is released.
closed=released).
If the brake is released, but the
input is not present, the
“hoist_brake_fault” could not be
tripped if the fault were to occur.
Either brake is capable of holding

the load. Should there be
movement, the SIS would detect
safing the hoist.
307
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed When the contact is closed, relay No effect. 3

HB1R would be energized, and
the input to the SIS would remain
on, which would indicate that
hoist brake #1 is released.
With a brake release indication

and no hoist direction input
present, the SIS would detect a
“hoist_brake_fault”, remove the
hoist permissives and halt hoist
operation.
(Line 2617) • 1 of 2 series contacts Contact fails open Loss of brake release No effect. 3
(brake 1 & brake 2) that acknowledge back to the hoist
provide a “brake release drive power module.
acknowledgement” to
the Hoist Drive Power The HDPM will not permit hoist
Module that the brakes motor operation without this input
have been released. present.
308
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed The hoist brake #1 contact failing No effect. 3

closed by itself would have no
effect on system operation as an
additional series contact for brake
#2 (HB2C) is also required to
provide an erroneous hoist brake
acknowledgement signal to the
However, if both contacts fail

closed an erroneous signal to the
hoist drive power module that the
hoist brakes are released would
be present.

be required to have undetected,
uncommanded motion.
309
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HB1R Relay Provides an indication to Contact fails open Unable to provide input to the SIS No effect. 3
Line 2573 the Crane Supervisory that hoist brake #1 is released.
1 normally open PLC, Slot 4, that Hoist When no motion is commanded,
contact brake #1 has been the brakes should be set.
(Line 3033) released.

safing the hoist.
Contact fails closed Would cause an erroneous input No effect. 3

to the Supervisory PLC that hoist
brake #1 is released, when the
brake is set.
The supervisory PLC checks that

with no motion commanded, if
either brake is released, it will
cause a “hoist_brake_fault” and
the SIS will remove both hoist
operation.
310
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HB2C Relay The Hoist Drive Power Coil fails open Both hoist brakes are released No effect. 3
(Hoist Brake 2 Module will initiate release simultaneously, but separately,
Contactor) of the hoist brakes by by the Hoist Drive Power Module.
(Line 2517) energizing relay HB2.
When relay HB2 is Unable to release hoist brake #2.
3 normally open energized, it energizes Loss of hoist brake #2 release
contacts HB2C. Relay HB2C has 3 acknowledgement to the Hoist
contact sets as described Drive Power Module. The HDPM
below: will not enable hoist motor
operation.
1 ganged set of 2 • Applies power to hoist Contacts fails open There is no indication from the No effect. 3
contacts brake #2 to release the brake itself to indicate whether
(Line 1172) brake. These 2 contacts the brake is set or released.
complete the electrical Indications of whether the brake
circuit to apply power to is set or released is by additional
energize the hoist brake relay contacts of HB2C to the
coil to release the brake. HDPM and relay HB2R to the SIS
Unable to release hoist supervisory PLC.
brake #2.
The brake would remain set, and
the hoist motor would attempt to
drive through the brake. There is
no SIS check to ensure the brake
is released when motion is
commanded.
311
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contacts fails closed Power would constantly be No effect. 3

applied to Hoist brake #2,
keeping the brake released. Hoist
brake #2 would not be able to
set.
Each brake is independently
capable of holding the load.
Concurrent failure of the relay
contact set for hoist brake #1
would result in neither brake
being able to set.
The SIS, sheet 22, checks that
with no hoist direction command
present, if either brake is released
(not set) it will trip the
operation.
Additionally, the SIS checks for

uncommanded motion. Should
both brakes not set, and the
above check fail, additional SIS
software would detect
remove both hoist permissives,
causing the mainline power to be
removed, halting crane operation,
and allowing the brakes to set.
undetected brake release and
motion.
312
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 2574) • This contact energizes Contact fails open When the contact is open, relay No effect. 3
relay HB2R (Hoist Brake HB2R would be de-energized, and
2 Relay). This relay the input to the SIS would not be
provides an input to the present, which would indicate
Crane supervisory PLC that hoist brake #2 is set.
(SIS) as an indication of
hoist brake #2 status Unable to provide input to the SIS
(open=set or that hoist brake #2 is released.
closed=released).

safing the hoist.
313
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed When the contact is closed, relay No effect. 3

HB2R would be energized, and
the input to the SIS would remain
on, which would indicate that
hoist brake #2 is released.
With a brake release indication

and no hoist direction input
present, the SIS would detect a
“hoist_brake_fault”, remove the
hoist permissives and halt hoist
operation.
(Line 2617) • 1 of 2 series contacts Contact fails open Loss of brake release No effect. 3
(brake 1 & brake 2) that acknowledge back to the hoist
provide a “brake release drive power module.
acknowledgement” to
the Hoist Drive Power The HDPM will not permit hoist
Module that the brakes motor operation without this input
have been released. present.
314
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed The hoist brake #2 contact failing No effect. 3

closed by itself would have no
effect on system operation as an
additional series contact for brake
#1 (HB1C) is also required to
provide an erroneous hoist brake
acknowledgement signal to the
However, if both contacts fail

closed an erroneous signal to the
hoist drive power module that the
hoist brakes are released would
be present.

be required to have undetected,
uncommanded motion.
315
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HB2R Relay Provides an indication to Contact fails open Unable to provide input to the SIS No effect. 3
Line 2574 the Crane Supervisory that hoist brake #2 is released.
1 normally open PLC, Slot 4, that Hoist When no motion is commanded,
contact brake #2 has been the brakes should be set.
(Line 3036) released.

safing the hoist.
Contact fails closed Would cause an erroneous input No effect. 3

to the Supervisory PLC that hoist
brake #2 is released, when the
brake is set.
The supervisory PLC checks that

with no motion commanded, if
either brake is released, it will
cause a “hoist_brake_fault” and
the SIS will remove both hoist
operation.
316
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Float Mode
HDFP Rotary Switch Used to operate the hoist

(Hoist Drive Float motor in float mode (raise
Potentiometer) / lower).
(Line 2549) • Normally closed contact Mainline control contact Unable to energize the crane No effect. 3
when float switch is in fails open mainline contactor, CCR1, to
the center “off” position. allow crane operation.
Output goes to Mainline
contactor reset circuit,
line 636, which verifies
the float switch is in the
centered off position to
allow crane to “power
up”. No effect on the
circuit after that.
Mainline control contact There are additional series No effect. 3
fails closed contacts (Bridge joystick (BRI),
Trolley joystick (TROL), Hoist Cab
Sup. Permissive (HCSP) from
Operators Sup. PLC slot 5, and
HSP from Crane Supervisory PLC,
Slot 4, that are normally open
that prevent the power from
being inadvertently applied to the
crane mainline control circuit.
317
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Dual float raise

directional contacts
(Line 2550) • When the operator Hoist Float Raise direction Unable to provide an input to the No effect. 3
rotates the float switch contact fails open hoist drive power module to
to the right to select operate the hoist motor in the
float raise, energizes float raise mode.
relay HFR that provides
Hoist Drive Power
Module (Line 2566).
Hoist Float Raise direction Hoist drive power module would No effect. 3
float raise command.

failures of relay FR contact failing
(voltage) from both float
potentiometers.
• Provides a discrete input Hoist Float Raise direction The Supervisory system would No effect. 3
to the Operators contact fails open not be aware that float raise has
Supervisory PLC, Slot 5, been commanded. The SIS
(Line 3535) for system would detect hoist uncommanded
monitoring that float motion and remove the hoist
raise has been permissives (HCSP and HSP),
commanded. halting hoist operation.
318
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Hoist Float Raise direction The supervisory system would be No effect. 3

indication that float raise has
operator.

failures of relay HFR contact
potentiometers, and a failure of
the SIS to detect uncommanded
motion.
Dual float lower

directional contacts
(Line 2552) • When the operator Hoist float lower direction Unable to provide an input to the No effect. 3
rotates the float switch contact fails open hoist drive power module to
to the left to select float operate the hoist motor in the
lower, energizes relay float lower mode.
HFL that provides a
discrete input to the
Hoist Drive Power
Module (Line 2567).
319
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Hoist float lower direction Hoist drive power module would No effect. 3
lower command.

failures of relay HL contact failing
(voltage) from both
motion.
• Provides a discrete input Hoist Float Lower direction The Supervisory system would No effect. 3
to the Operators contact fails open not be aware that float lower has
Supervisory PLC, Slot 5, been commanded. The SIS
(Line 3536) for system would detect hoist uncommanded
monitoring that float motion and remove the hoist
lower has been permissives (HCSP and HSP),
commanded. halting hoist operation.
320
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Hoist Float Lower direction The supervisory system would be No effect. 3

indication that float lower has
operator.

failures of relay HFL contact
motion.
Dual Potentiometers –
Hoist Float Mode
(Line 2553) • Center tapped No output Unable to operate the hoist motor No effect. 3
potentiometer outputs a in float mode.
+/- 10 VDC voltage to
the Hoist Drive DC
Power Module (HDPM),
indicating commanded
speed for hoist float
operation.
321
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. High output Voltage applied to hoist drive No effect. Correcting action 3

b. Electrical failure power module would be greater will prevent damage to flight
c. N/A than expected and result in the hardware.
d. Operator monitors load being raised or lowered
distance traveled on a faster than expected. A
dial indicator in the cab redundant potentiometer provides
and the observer also an equivalent voltage to the
monitors travel motion. supervisory system for
e. Return float monitoring purposes. If the
potentiometer to zero voltages are not equal, the
speed, release permissives would be removed
thumbswitch or foot and hoist operation halted.
pedal, to halt float If both potentiometers failed high
mode operation, or the same amount, then the
press e-stop supervisory PLC would not detect
f. > 3 seconds the failure.
g. <= 3 seconds The load could move farther /
faster than expected. However,
due to the extremely slow speed
while in float mode (0.1 in/sec
maximum), it is not expected that
loss of life would occur, although
damage to flight hardware could
be possible. The operator /
observer will have adequate time
to detect the failure.
Additionally, the SIS monitors the
potentiometers to ensure that
zero volts is present in the “off”
position.
322
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Low output Hoist float speed would be slower No effect. 3

than expected. The supervisory
system compares commanded
speed to actual speed and if they
are not the same, removes the
hoist permissives and halts hoist
operation.
• Center tapped No output The supervisory PLC would detect No effect. 3

potentiometer outputs a float mode operation as
+/- 10 VDC voltage to uncommanded motion, remove
the Operators the hoist permissives and halt
Supervisory PLC, slot 1 hoist operation.
for system monitoring
purposes.
323
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. High output Voltage applied to the supervisory No effect. Correcting action 3
b. Electrical failure PLC for monitoring purposes will prevent damage to flight
c. N/A would be greater than the hardware.
d. Operator monitors commanded speed from the
distance traveled on a potentiometer output to the
dial indicator in the cab HDPM. The SIS would detect a
and the observer also delta between actual speed and
monitors travel motion. commanded speed and remove
e. Return float the hoist permissives and halt
potentiometer to zero hoist operation.
speed, release
thumbswitch or foot If both potentiometers failed high
pedal, to halt float the same amount, then the
mode operation, or supervisory PLC would not detect
press e-stop the failure.
f. > 3 seconds
g. <= 3 seconds The load could move farther /
faster than expected. However,
due to the extremely slow speed
while in float mode (0.1 in/sec
maximum), it is not expected that
loss of life would occur, although
damage to flight hardware could
be possible. The operator /
observer will have adequate time
to detect the failure.
In addition, the SIS checks that

when the float potentiometer
returns to zero speed (off
position), there is zero volts
output from the potentiometer
(checks for potentiometer
failure).
Double failure required.

324
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Low output Hoist float speed would be slower No effect. 3

than expected. The supervisory
system compares commanded
speed to actual speed and if they
are not the same, removes the
permissives for the hoist and
halts hoist operation.
HPS Hoist Pedal Switch Operator activated foot Fails open Unable to provide the required No effect. 3
(Line 2524) switch. When depressed, “enable” to the system to allow
energizes relay HP, to hoist float mode operation. Hoist
indicate that hoist “float” float mode operation will not be
mode operation has been available.
Provides 1 of 3 “enables”
Fails closed Upon initial starting of the crane, No effect. 3
to allow float mode
the SIS PLC verifies that the hoist
operation. (Hoist joystick
pedal foot switch input is not
thumb switch must also
present (foot pedal closed) when
be pressed, and hoist
the crane is off, and that if it is
speed switch must select
present within 0.25 seconds of
“float” position to enable
the mainline contactor input, both
float mode operation.)
hoist permissives will be
removed, disabling hoist
operation.
325
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
To initiate normal float mode, No effect. 3

three operator actions are
required; the foot pedal must be
de-pressed, and the thumb switch
on the hoist joystick must be de-
pressed and the hoist speed
select switch must be moved to
the “float” position. Should the
pedal fail closed during operation,
relay HFP will not be energized
(since the thumb switch is also
required to be pressed to provide
a relay contact closure).
However, an input will be applied
slot 5.
HP Relay This relay is energized Coil fails open / short Unable to provide the “enable” to No effect. 3
(Hoist Pedal) when the operator presses the HDPM to allow hoist float
(Line 2524) the Hoist Pedal Switch mode operation. Hoist float mode
(foot switch) to initiate operation will not be available.
2 normally open hoist float mode
contacts operation. This relay
provides a contact closure
(along with relay HT), to
energize relay HFP (Hoist
Float Permissive), which
will put the Hoist Drive
Power Module in “float”
mode operation.
326
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
(Line 2568) Provides 1 of 2 relay Contact fails open Unable to provide the “enable” to No effect. 3
contact “enables” to the system to allow hoist float
energize relay HFP (Hoist mode operation. Hoist float mode
Float Permissive) which operation will not be available.
provides a discrete input
to the Hoist Drive Power
Module to enable float
mode operation.
Contact fails closed As a single failure, no effect. No effect. 3

Should relay contact HT also fail
closed, the HDPM would be
provided with a float mode
enable. Upon the HDPM being
enabled for float mode, both
motor brakes would be released
and the hoist motor would
assume the load and hold zero
speed.
(Line 3535) Provides an input to the Contact fails open Unable to provide the “enable” to No effect. 3
Operators Supervisory the system to allow hoist float
PLC, Slot 5, that float mode operation. Hoist float mode
mode operation has been operation will not be available.
327
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed Three enables are required to No effect. 3

enter float mode, the hoist foot
pedal switch, thumbswitch on the
hoist joystick and the float
position on the speed select
switch must be selected.
No effect.
FR Relay This relay is energized Coil fails open / short Unable to provide the input to the No effect. 3
(Float Raise) when the operator turns Contact fails open supervisory PLC that hoist float
(Line 2550) the rotary Hoist Drive mode raise operation has been
Float Potentiometer commanded. The supervisory
1 normally open (HDFP) switch to raise the PLC will recognize that Hoist float
contact hoist in float mode. The mode operation has not been
Line 3535 relay provides an input to commanded, and will trip a fault,
the Operators Supervisory halting hoist operations.
PLC, Slot 5 that float raise
operation has been
commanded.
Contact fails closed The supervisory PLC will be No effect. 3

provided with an input that float
raise operation has been
commanded. However, 3 enables
are also required. The PLC will
detect that float mode has not be
properly entered, and trip a fault,
halting hoist operations.
328
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HFR Relay This relay is energized by Coil fails open / short Unable to provide the “enable” to No effect. 3
(Hoist Float Raise) the Hoist Drive Float Contact fails open the HDPM to allow hoist float raise
(Line 2566) Potentiometer (HDFP) operation. Hoist float mode
when the operator rotates operation will not be available.
1 normally open it to the raise direction.
contact When the relay is
(Line 2623) energized, it provides a
series enable, along with
relay HUS, to the Hoist
Drive Power Module.
Contact fails closed The command hoist float raise to No effect. 3
the HDPM would continuously be
provided. However, the hoist
float permissive is also required to
enable the HDPM to operate in
float mode. If the permissive
were to be erroneously provided,
the supervisory PLC would detect
operation and remove the hoist
operation.
FL Relay This relay is energized Coil fails open / short Unable to provide the input to the No effect. 3
(Float Lower) when the operator turns Contact fails open supervisory PLC that hoist float
(Line 2551) the rotary Hoist Drive lower operation has been
Float Potentiometer commanded. The supervisory
1 normally open (HDFP) switch to lower PLC will recognize that Hoist float
contact the hoist in float mode. mode operation has not been
(Line 3536) The relay in turn energizes commanded, and will trip a fault,
relay HFL, and provides halting hoist operations.
an input to the Operators
Supervisory PLC, Slot 5.
329
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Contact fails closed The supervisory PLC will be No effect. 3

provided with an input that float
mode lower operation has been
commanded. However, 3 enables
are also required. The SIS PLC
will detect that float mode has not
be properly entered, and trip a
fault, halting hoist operations.
HFL Relay This relay is energized by Coil fails open / short Unable to provide the “enable” to No effect. 3
(Hoist Float Lower) the Hoist Drive Float Contact fails open the HDPM to allow hoist float
(Line 2567) Potentiometer (HDFP) lower operation. Hoist float mode
when the operator rotates operation will not be available.
1 normally open it to the lower direction.
(Line 2626) energized, it provides a
series enable, along with
relay HUS, to the Hoist
Drive Power Module.
Contact fails closed The command hoist float lower to No effect. 3
the HDPM would continuously be
provided. However, the hoist
float permissive is also required to
enable the HDPM to operate in
float mode. If the permissive
were to be erroneously provided,
the supervisory PLC would detect
operation and remove the hoist
operation.
330
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
HFP Relay This relay is energized by Coil fails open / short Unable to provide the “enable” to No effect. 3
(Hoist Float the operator pressing the Contact fails open the Hoist Drive Power Module to
Permissive) hoist joystick thumb allow hoist float mode operation.
(Line 2568) button and pressing the Hoist float mode operation will
hoist pedal foot switch, not be available.
1 normally open closing 2 relay contacts.
(Line 2619) energized, it provides an
input to the Hoist Drive
Power Module to indicate
float mode operation is
selected.
Contact fails closed A hoist float permissive would be No effect. 3
constantly provided to the hoist
drive power module. Upon the
HDPM being enabled for float
mode, both motor brakes would
be released and the hoist motor
would assume the load and hold
zero speed.
331
SAA00029
Rev. A
Table 9. Electrical FMEA – Bridge & Trolley PLC Pages 332 to 374
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BTPLCPS Power Supply PLC power supply, Low / No output The speed and direction inputs to No effect. 3
converts 120 AC power to the bridge and trolley power
5 VDC power for Bridge & modules would be lost. Bridge &
Trolley PLC operation. Trolley would not operate, or
would cease operation.
High output Potential damage to PLC modules. No effect. 3

Loss of ability to operate bridge &
trolley.
BTPLCP Controller Scans the inputs to the No Output Unable to operate either the No effect. 3
(Slot 1) (Also referred to as PLC from the field devices bridge or trolley.
“Processor” or and executes user written
“CPU”) software based on the
input values received.
The only command output
the PLC can provide is to
remove the Main
Permissive, which will
remove power from the
mainline controls and shut
the crane down.
332
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
a. Unsolicited output Potential for uncommanded speed Potential for undetected 3
corruption of data or direction of bridge or trolley, or speed greater than
b. Internal electrical failure of bridge or trolley to commanded with concurrent
failure cease operation when failure of secondary joystick
c. N/A commanded. potentiometer.
d. Supervisory system is
programmed to detect Supervisory PLC is provided with Operator intervention will
uncommanded motion, separate speed (potentiometer), prevent loss of life, or
speed greater than speed range (fine/coarse) and damage to flight hardware.
commanded, or direction inputs. The actual
direction other than speed and direction (provided by
commanded. the motor encoder and Selsyn, is
e. With a concurrent compared to the commanded
joystick secondary speed and direction.
potentiometer failure,
the operator would Undetected travel in the wrong
have to recognize the direction would require multiple
failure and stop motion failures; both direction relays,
or press e-stop Power Drive Module, motor
f. > 3 seconds encoder, selsyn, supervisory PLC.
g. <= 3 seconds Uncommanded motion would be
detected by the SIS.
BPLCCP Co-Processor Monitors the bridge north No Output Skewing of the bridge has been N/A N/A
(Slot 2) and south skew sensors assessed as a non-critical effect.
via RS-232
communication lines.
Unsolicited output Skewing of the bridge has been N/A N/A
assessed as a non-critical effect.
Corruption of Data Skewing of the bridge has been N/A N/A

assessed as a non-critical effect.
333
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BTPLCAI Analog Input Module Provides the following Channel Fails High Voltage will be higher than No effect. 3
(Slot 3) functions: actually provided by the trolley
joystick potentiometer. The B & T
• Accepts the output PLC will provide a higher than
voltage from the required output voltage to the
Trolley Joystick trolley drive power module,
potentiometer. The resulting in trolley speed faster
voltage will be “scaled” than commanded.
by the PLC software
depending on the The redundant trolley joystick
speed mode selected potentiometer will provide an
(fine / coarse) for equivalent voltage to the
output to the Trolley supervisory PLC. The supervisory
Drive Power Module, PLC, through software, compares
which then commands the actual trolley motor speed via
the Trolley motor. the secondary motor encoder
output, to the commanded speed
(redundant joystick
potentiometer). If they do not
agree, the supervisory PLC’s will
remove both bridge & trolley
permissives (BSP and BCSP),
Potential for trolley speed greater

than commanded with a
concurrent failure of the
redundant potentiometer, or the
SIS system. The SIS checks that
the voltage output of the
potentiometer is zero volts when
the joystick is in the center “off”
position. The SIS consists of
334
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low Voltage will be lower than actually No effect. 3

provided by the trolley joystick
primary potentiometer. Trolley
will operate at a speed slower
than commanded.
Since a delta would exist between

speed, the SIS would remove the
B & T permissives and halt bridge
335
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Accepts the output Channel Fails High Voltage will be higher than No effect. 3
voltage from the Bridge actually provided by the bridge
Joystick potentiometer. joystick potentiometer. The B & T
The voltage will be PLC will provide a higher than
“scaled” by the PLC required output voltage to the
software depending on bridge drive power modules,
the speed mode resulting in bridge speed faster
selected (fine / coarse) than commanded.
for output to the Bridge
Drive Power Modules, The redundant bridge joystick
and then to the Bridge potentiometer will provide an
motors. equivalent voltage to the
supervisory PLC. The supervisory
PLC, through software, compares
the actual bridge motor speed via
the secondary motor encoder
output, to the commanded speed
(redundant joystick
potentiometer). If they do not
agree, the supervisory PLC’s will
remove both bridge & trolley
permissives (BSP and BCSP),
Potential for bridge speed greater

than commanded with a
concurrent failure of the
redundant potentiometer, or the
SIS system. The SIS checks that
the voltage output of the
potentiometer is zero volts when
the joystick is in the center “off”
position. The SIS consists of
336
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low Voltage will be lower than actually No effect. 3

provided by the bridge joystick
primary potentiometer. Bridge
will operate at a speed slower
than commanded.
Since a delta would exist between

speed, the SIS would remove the
permissives and halt bridge &
trolley operation.
BPLCAO Analog Output Provides an output No Output Unable to operate the bridge. No effect. 3
(Slot 4) Module voltage (which is “scaled”
by the B & T PLC
software, depending on
the speed mode selected
[Fine / Coarse]) to Bridge
Drive 1 and Bridge Drive 2
Power Modules, which is
proportional to the
joystick motion by the
operator, which then
controls the 2 bridge
motors.
337
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous Output High Bridge would operate at a speed No effect. 3

faster than commanded. The
supervisory system compares the
secondary motor encoder value
with the secondary joystick
potentiometer output, and would
detect that actual speed is greater
than commanded speed, and
permissives, (BSP & BSCP),
halting bridge & trolley motion.
The SIS checks the secondary

potentiometer for proper
operation by ensuring that when
the joystick is in the center off
position, the voltage output is
zero volts.
The SIS supervisory system has

Erroneous Output Low Bridge would operate at a speed No effect. 3

slower than commanded.
338
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
TPLCAO Analog Output Provides an output No Output Unable to operate the trolley. No effect. 3
(Slot 5) Module voltage (which is “scaled”
by the B & T PLC
software, depending on
the speed mode selected
[Fine / Coarse]) to the
Trolley Drive Power
Module and then to the
Trolley motor to control
speed and direction, which
is proportional to the
joystick motion by the
operator.
339
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Erroneous Output High Trolley would operate at a speed No effect. 3

faster than commanded. The
supervisory system compares the
secondary motor encoder value
with the secondary joystick
potentiometer output, and would
detect that actual speed is greater
than commanded speed, and
permissives, (BSP & BSCP),
halting bridge & trolley motion.
The SIS checks the secondary

potentiometer for proper
operation by ensuring that when
the joystick is in the center off
position, the voltage output is
zero volts.
The SIS supervisory system

certified PLC’s.
Erroneous Output Low Trolley would operate at a speed No effect. 3

slower than commanded.
340
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BPLCDI Discrete Input Accepts inputs for the

(Slot 6) Module following Bridge functions:
• Operator selected speed
range (fine / coarse)
Bridge Fine speed - input
is used by the Bspeed and
Laser (skew) logic parts of
the bridge & trolley
software.
Ch. 12 When the channel is high, Channel Fails High (on) Bridge will operate in fine speed No effect. 3
low (fine) speed is mode, even if coarse speed is
commanded and the commanded.
software will divide the
commanded bridge speed Skew function will not be
by 20. operational.
When coarse speed is selected, No effect. 3

the B & T PLC would see both fine
and coarse speed selected (both
inputs high). The B & T PLC
software is written such that, with
both inputs present, the Fine
speed input would take
precedence and the bridge would
operate in fine speed.
341
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Low speed is commanded Channel Fails Low (off) When fine speed is selected by No effect. 3
by the operator, but is not the operator, the input would not
recognized by the PLC. go high to provide an indication to
the B & T PLC software that fine
Potential for speed higher speed has been selected. Unable
than commanded to to operate the bridge in fine
occur. speed.
Assuming coarse speed was the

previously selected speed, and
the coarse channel fails to switch
from high to low, bridge operation
in coarse speed would continue.
However, relays BFS and BCS

also provide a relay contact
closure to the supervisory
system. It would see that the
bridge speed is greater than
commanded and remove the
bridge & trolley permissives,
The SIS supervisory system has

redundant, safety certified PLC’s
with redundant relays
(permissives).
342
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 5 Bridge Coarse Speed - Channel Fails High (on) The B & T PLC software would No effect. 3
When the channel is high, continue to see a Coarse speed
coarse speed is command.
commanded. The Coarse
speed input is only used in When changing from coarse
2 lines of code, and is speed to fine speed, if the fine
examined for an “on” speed channel also fails low, then
(high) condition. bridge operation in coarse speed
would continue.
Main line 14 – sets a
motor fault if in coarse However, relays BFS and BCS
speed and the skew fault also provide a relay contact
light is on. closure to the supervisory
system. It would see that the
Bspeed line 20 – used to bridge speed is greater than
determine if it is ok to commanded and remove the
issue a speed command bridge & trolley permissives,
to the bridge drive power halting bridge & trolley operation.
modules. If bridge fine
speed is not commanded, The SIS supervisory system
and neither slow limit consists of redundant, safety
switch is tripped and certified PLC’s with redundant
coarse speed is relays (permissives).
commanded.
Coarse speed is Channel Fails Low (off) Unable to select fast (coarse) No effect. 3
commanded by the speed for bridge operation.
operator, but is not
recognized by the PLC.
343
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 1 • Bridge east travel Channel Fails High (on) The software is written such that No effect. 3
direction it checks if east direction is
selected (on), west direction is
Direct input from the not selected (off). Should the
direction contacts on operator select west travel, both
the joystick directions would be commanded
simultaneously. The software
would not execute. However, if
the joystick is moved back to the
center “off” position, the east
direction input would be “off” but
bridge east travel would continue.
When the joystick is moved back
to the center position, the
potentiometer voltage should
become 0 VDC, and no motion
would occur.
The supervisory system also

monitors travel direction via
relays BE and BW. Motion in the
wrong direction would be
detected by the supervisory PLC
and remove its permissives, and

certified PLC’s with redundant
relays (permissives).
344
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (off) Unable to move bridge in the east No effect. 3
direction.
If a concurrent failure of the west

channel failing high should also
occur, then motion in the wrong
direction would occur.

345
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 2 • Bridge west travel Channel Fails High (on) The software is written such that No effect. 3
direction it checks if west direction is
selected (on), east direction is not
Direct input from the selected (off). Should the
direction contacts on operator select east travel, both
the joystick directions would be commanded
center “off” position, the west
bridge west travel would
continue. When the joystick is
moved back to the center
position, the potentiometer
voltage should become 0 VDC,
and no motion would occur.


346
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (off) Unable to move the bridge in the No effect. 3
west direction.
If a concurrent failure of the east



Ch. 3 • Bridge brakes released Channel Fails High Brake release has been assessed N/A N/A
indication. Channel Fails Low as non-critical.
Ch. 4 • Indication from either Channel Fails High This input is used for the laser N/A N/A
Bridge Drive Power Channel Fails Low skew processing function in the
Module that motor Bridge & Trolley PLC software.
speed is greater than Skewing has been assessed as a
set-point speed. non-critical
347
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 6 & 7 • Bridge East / West a. Channel Fails High (on) The PLC would not detect the No effect. Correcting action 3
“slow” limit switches. b. Internal electrical slow limit switch had been tripped prevents loss of life / damage
Limit switch closed = failure and not switch the bridge to slow to flight hardware.
high (fast) speed c. N/A speed. Bridge would continue
Limit switch open = low d. Operator / observer operation in fast speed.
(slow) speed would have to detect
that bridge is operating Operator error required.
Software is supposed to in fast speed Operator is trained to not operate
automatically change to e. Operator would halt the bridge in fast speed where
slow speed when a slow bridge operation, or slow speed is required.
limit switch is tripped. press e-stop
f. > 3 seconds
g. <= 3 seconds
Channel Fails Low (off) When the limit switch opens, the No effect. 3
channel should go low, indicating
slow speed is required. The PLC
would think that the limit switch
had been tripped, and would
switch bridge speed into slow
speed.
348
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 8 & 9 • Bridge East / West a. Channel Fails High (on) Should the bridge trip the “stop” No effect. Correcting action 3
travel “stop” limit b. Internal electrical limit switch, the B & T PLC would will prevent loss of life /
switches failure not remove the enable for the damage to flight hardware.
c. N/A direction input to the Bridge Drive
Switch closed, channel is d. Operator / observer Power Modules, and Bridge
high would have to motion would continue.
recognize that travel
Switch open, channel is limit has been Requires operator error to exceed
low exceeded. bridge travel limit.
e. Press e-stop (or
Used for one purpose release joystick) to halt
only, to supply an enable bridge motion.
to issue a direction f. > 3 seconds
command to the Bridge g. <= 3 Seconds
Drive Power Modules.
When switch is closed,
allows the direction
command to be output to
the bridge drive power
module.
Channel Fails Low (off) Erroneous indication that the stop No effect. 3
limit switch has been tripped and
the bridge has exceeded the
maximum travel limit. The Bridge
& Trolley PLC will remove the
direction input to the Bridge Drive
Power Modules, which will halt
bridge operation.
Ch. 10 • Bridge Skew correction Channel Fails High Not a critical function. N/A N/A
disable. Channel Fails Low
349
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 11 • Bridge thumb switch for Channel Fails High Operator controlled brake release N/A N/A
brake release Channel Fails Low not used at this time.
Ch. 13 & 14 • Bridge Drive 1 Ready Channel Fails High (on) Should a motor overload occur or No effect. 3
Bridge Drive 2 Ready a bridge drive power module
failure occurs, the PLC software
The Bridge Drive Power would not detect the loss of the
Module outputs a “ready” input.
signal which is input to the
B & T PLC, in series with a
motor overload contact. The software also has a series
check for a thermal overload as
Used in the Main (lines 14 well. If the Bridge Drive Power
& 18) and Bspeed (lines Module had an internal failure, it
24 & 26) of the B&T would halt operation. If the
software motor get to hot, the thermal
BM1F switch would open and halt motor
BM2F operation.
Channel Fails Low (off) Bridge would not be operational. No effect. 3
350
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 15 • BT Main contactor Channel Fails High (on) If the bridge & trolley mainline No effect. 3
energized and no fault contactor opened, power would
indication. be removed from the bridge &
trolley, halting both bridge &
This checks that both trolley operation.
Bridge Drive Power
Modules do not have an If either bridge drive power
internal fault, and the module should have an internal
bridge & trolley mainline failure, that motor would cease
power contactor is operation. The bridge would
energized. cease operation. The trolley
would continue to be operational.
Channel Fails Low (off) Erroneous indication that a fault No effect. 3

has occurred and the PLC will halt
bridge & trolley operations.
351
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
TPLCDI Discrete Input Monitors inputs for the
(Slot 7) Module following Trolley
functions:
• Operator selected speed
range (fine / coarse)
Trolley Fine speed - input
is used by the Tspeed
logic in the bridge &
trolley software.
Ch. 9 When the channel is high, Channel Fails High (on) Trolley will operate in fine speed No effect. 3
indicates that low (fine) mode, even if coarse speed is
speed is commanded and commanded.
the software will divide
the commanded trolley When coarse speed is selected,
speed by 20, which the B & T PLC would see both fine
outputs a slow speed and coarse speed selected (both
value to the Trolley drive inputs high). The B & T PLC
power module for trolley software is written such that, with
motor operation. both inputs present, the Fine
speed input would take
precedence and the trolley would
operate in fine speed.
352
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Low speed is commanded Channel Fails Low (off) When fine speed is selected by No effect. 3
by the operator, but is not the operator, the input would not
recognized by the PLC. go high to provide an indication to
the B & T PLC software that fine
Potential for speed higher speed has been selected. Unable
than commanded to to operate the trolley in fine
occur. speed.
Assuming coarse speed was the

previously selected speed, and
the coarse channel fails to switch
from high to low, trolley operation
in coarse speed would continue.
However, relays TFS and TCS also

provide a relay contact closure to
the supervisory system. It would
see that the trolley speed is
greater than commanded and
permissives, halting bridge &
trolley operation.

353
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 4 Trolley Coarse Speed - Channel Fails High (on) The coarse speed input to the B & No effect. 3
When the channel is high, T PLC software would continue to
indicates that coarse be present.
speed is commanded.
The Coarse speed input is The software is written such that
only used in 1 line of it checks that if coarse speed is
code, and is examined for on, that fine speed is not on (off).
an “on” (high) condition. A failure by itself would have not
effect, since examining for the
fine speed off is in series.
When changing from coarse

speed to fine speed, if the fine
speed channel also fails low, then
trolley operation in coarse speed
would continue.
However, relays TFS and TCS also

provide a relay contact closure to
the supervisory system. It would
see that the trolley speed is
greater than commanded and
permissives, halting bridge &
trolley operation.

354
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Coarse speed is Channel Fails Low (off) Unable to select fast (coarse) No effect. 3
commanded by the speed for trolley operation.
operator, but is not
recognized by the PLC.
355
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 2 • Trolley travel direction Channel Fails High (on) A constant north direction input No effect. 3
(north / south) would be provided to the trolley
drive power module. The
Direct input from the software is written such that it
direction contacts on the checks if north direction is
joystick selected (on), south direction is
not selected (off). Should the
Trolley North travel operator select south travel, both
selected directions would be commanded
center “off” position, the north
trolley north travel would

relays TN and TS. Motion in the

356
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (off) Unable to move trolley in the No effect. 3
north direction.
If a concurrent failure of the

south channel failing high should
also occur, then motion in the
wrong direction would occur.


357
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 1 - Trolley South travel Channel Fails High (on) A constant north direction input No effect. 3
selected would be provided to the trolley
drive power module. The
software is written such that it
checks if south direction is
selected (on), north direction is
not selected (off). Should the
operator select north travel, both
directions would be commanded
center “off” position, the south
trolley south travel would


358
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (off) Unable to move trolley in the No effect. 3

south direction.
If a concurrent failure of the north



Ch. 12 • Operator controlled Channel Fails High The thumb button is not currently N/A N/A
thumb button switch Channel Fails Low used to release the brakes. The
(for brake release) from circuit is disconnected.
Trolley joystick via relay
TT. In addition, the brake has been
assessed as non-critical.
359
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 3 • Trolley brake released Channel Fails High Failure of the brake to release, or N/A N/A
indication (series relay Channel Fails Low not to set, has been assessed as
contacts TBC & TBR) non-critical. See ground rules.
Ch. 5 & 6 • Trolley North / South a. Channel Fails High (on) The PLC would not get the No effect. Correcting action 3
“slow” limit switches. b. Internal electrical indication that the slow limit prevents loss of life / damage
failure switch had been tripped and not to flight hardware.
Limit switch closed = high c. N/A switch the trolley to slow speed.
= fast speed d. Operator / observer The Trolley would continue
would have to detect operation in fast speed.
Limit switch open = low = that the trolley is
slow speed operating in fast speed Operator error required.
e. Operator would halt Operator is trained to not operate
trolley operation, or the trolley in fast speed where
press e-stop slow speed is required.
f. > 3 seconds
g. <= 3 seconds
Channel Fails Low (off) When the limit switch opens, the No effect. 3
channel should go low, indicating
slow speed is required. The PLC
software would detect that the
limit switch had been tripped, and
would switch the trolley speed
into slow speed.
360
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 7 & 8 • Trolley North / South a. Channel Fails High (on) Should the trolley trip the “stop” No effect. Correcting action 3
travel “stop” limit b. Internal electrical limit switch, the B & T PLC would will prevent loss of life /
switches. failure not remove the enable for the damage to flight hardware.
c. N/A direction input to the Trolley Drive
When the switch is closed, d. Operator / observer Power Module, and trolley motion
channel is high. would have to would continue.
recognize that travel
When the switch is open, limit has been Requires operator error to exceed
channel is low. exceeded. trolley travel limit.
e. Press e-stop (or
Used for one purpose release joystick) to halt
only, to supply an enable trolley motion.
to issue a direction f. > 3 seconds
command to the Trolley g. <= 3 Seconds
Drive Power Module.
When switch is closed,
allows the direction
command to be output to
the trolley drive power
module.
Channel Fails Low (off) Erroneous indication that the stop No effect. 3
limit switch has been tripped and
the trolley has exceeded the
maximum travel limit. The Bridge
& Trolley PLC will remove the
direction input to the Trolley Drive
Power Module, which will halt
trolley operation.
361
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 10 • Trolley motor overheat Channel Fails High (on) Should an over temperature No effect. 3
/ overload indication condition occur or a motor
overload occur, the trolley motor
Should a thermal switch in would be allow to continue to
the motor open, or the operate, perhaps to failure, when
motor overload open, will the trolley would stop.
cause the input to go low.
When channel goes low
causes software in the
bridge & trolley PLC to
inhibit trolley motor
operation.
Channel Fails Low (off) Erroneous indication that a No effect. 3
thermal or overload event
occurred. The bridge & trolley
PLC would set a fault, which
would inhibit trolley motor
operation.
Ch 11 • BT Main Line energized Channel Fails High (on) If the bridge & trolley mainline No effect. 3
contactor opened, power would
This checks that the be removed from the bridge &
bridge & trolley mainline trolley, halting both bridge &
power contactor (CCR3) is trolley operation.
energized.
Channel Fails Low (off) Erroneous indication that power No effect. 3

has been lost, and the PLC will
halt bridge & trolley operations.
362
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 13 East Crane – Provides an Channel Fails High Operation of the laser skew N/A N/A
indication to the B & T PLC Channel Fails Low function is assessed as non-
software to identify the critical. Failure to operate or
east crane. Used by the improper operation will not result
laser skew software. in a critical effect. See ground
rules.
Ch. 14 & 15 • Bridge motor overheat Channel Fails High (on) Should a motor over temperature No effect. 3
indication condition occur, the bridge
motors would be allow to
Should the thermal switch continue to operate, perhaps to
in the motor open, it will failure, when the bridge would
cause the input to go low. stop.
When the channel goes
low, it causes software in
the bridge & trolley PLC to
inhibit bridge motor
operation.
Channel Fails Low (off) Erroneous indication that a No effect. 3

thermal overload event occurred.
The bridge & trolley PLC would
set a fault, which would inhibit
bridge motor operation.
363
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
BTPLCDO Discrete Output Provides the following
(Slot 8) Module functions:
(Relay Module)
• Based on input from the
Operator, via the Bridge
joystick, provides
outputs to both of the
Bridge Drive Power
Modules (1 and 2) for
travel direction (east /
west), brake release
command and Base
Block.
Ch. 2 – Bridge Drive East travel direction Channel Fails High (off) The associated Bridge drive No effect. 3
1 East (BED1) power module would get a
continuous east travel indication.
Ch. 7 – Bridge Drive No motion would occur unless a
2 East (BED2) speed input is also present.
Should a concurrent failure occur

from bridge & trolley PLC, slot 3
(speed command),
uncommanded motion of the
associated bridge motor would
occur.
The supervisory system would

detect that uncommanded motion
occurred and halt bridge & trolley
operation.
364
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (off) Unable to operate the associated No effect. 3

bridge motor in the east direction.
However, with a concurrent

failure of the west channel failing
high, motion in a direction other
than commanded would occur.
The supervisory system monitors

that bridge travel is as
commanded.
Ch. 3 – Bridge Drive West travel direction Channel Fails High (on) The associated Bridge drive No effect. 3
West (BWD1) power module would get a
continuous west travel indication.
Ch. 8 – Bridge Drive No motion would occur unless a
2 West (BWD2) speed input is also present.

(speed command),
bridge motors would occur.

operation.
365
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (off) Unable to operate the bridge in No effect. 3

the west direction.

failure of the east channel failing

that bridge travel is as
commanded.
Ch. 4 – Bridge Drive Brake release, used for Channel Fails High N/A N/A N/A
1 Brake Release manual release of the Channel Fails Low
(BD1BR) brakes via the
thumbswitch, which is
Ch. 9 – Bridge Drive currently non-functional.
2 Brake Release
(BD2BR)
366
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 5 – Bridge Drive When the base block Channel Fails High (on) Should there be a drive fault or No effect. 3
1 Base Block output is on (high), it loss of power the PLC would not
(BD1BB) provides an input to the remove the base block input to
power module, which the bridge power module.
Ch. 10 – Bridge becomes an “enable” that
Drive 2 Base Block allows the power module However, if CCR3 has failed, then
(BD2BB) to operate. When the there would be no power
base block is removed, available for bridge drive
the power module is operation. If there is a bridge
“blocked” (disabled) from drive fault, erroneous operation
operation. could occur, but the supervisory
PLC monitors for proper
Both “base block” outputs operation.
are turned off by software
if either drive has a fault The supervisory system consists
or power contactor CCR3 of redundant, safety certified
is off. PLC’s with redundant permissive
relays.
367
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails low (off) Loss of “base block” signal to No effect. 3

associated power module. The
base block signal is an “enable”
and when removed, causes the
Bridge Drive Power Module to
cease operation.

commanded speed and direction,
and no motor data from the
motor encoder. The SIS will
detect a fault, remove the bridge
& trolley permissives, halting
• Based on input from the

Operator, via the
Trolley joystick,
provides outputs to the
Trolley Drive Power
Module for travel
direction (north /
south), brake release
command and Base
Block.
368
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 14 – Trolley North travel direction Channel Fails High (on) Trolley drive power module would No effect. 3
Drive North (TNDC) get a continuous north travel
indication. No motion would
occur unless a speed input is also
present.

(speed command),
trolley motor would occur.

occurred, remove the bridge &
trolley permissives, and halt
The supervisory system consists

of redundant, safety certified
PLC’s with redundant permissive
relays.
369
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (off) Unable to operate the trolley in No effect. 3
the north direction.

failure of the south channel failing

that trolley travel is as
commanded.

relays.
370
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 15 Trolley Drive South travel direction Channel Fails High (on) Trolley drive power module would No effect. 3
South (TSCD) get a continuous south travel
indication. No motion would
occur unless a speed input is also
present.

(speed command),
trolley motor would occur.

operation.

relays.
371
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (off) Unable to operate the trolley in No effect. 3

the south direction.

failure of the north channel failing

that trolley travel is as
commanded.

relays.
Ch. 17 - Trolley Brake release, used for Channel Fails High N/A N/A N/A
Drive Brake Release manual release of the Channel Fails Low
(TDBR) brakes via the
thumbswitch, which is
currently non-functional.
372
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 18 – Trolley When the base block Channel Fails High (on) If CCR3 has failed, then there No effect. 3
Drive Base Block output is on (high), it would be no power available for
(TDBB) provides an input to the trolley drive operation.
power module, which
becomes an “enable” that
allows the power module
to operate. When the
base block is removed,
the power module is
“blocked” (disabled) from
operation.
The “base block” output is

turned off by software if
power contactor CCR3 is
off.
Channel Fails low (off) Loss of “base block” signal to No effect. 3

associated power module. The
base block signal is an “enable”
and when removed, causes the
Bridge Drive Power Module to
cease operation.

commanded speed and direction,
and no motor data from the
motor encoder. The SIS will
detect a fault, remove the bridge
& trolley permissives, halting
373
SAA00029
Rev. A
PMN: K60-0562, K60-0563 Reference: ##
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch. 13 & 14 • Provides output to Channel Fails High Skew function has been assessed N/A N/A
Skew Ready and Skew Channel Fails Low as non-critical.
Fault indicator lights.
Slot 9 Blank Slot not currently used N/A N/A N/A N/A
Slot 10 Blank Slot not currently used N/A N/A N/A N/A
374
SAA00029
Rev. A
Table 10. Electrical FMEA – Operators Supervisory PLC System Pages 375 to 426
System/Subsystem: 200-Ton RPSF Bridge Crane / Safety Monitoring System Drawing No.: Ederer F-42784
PMN: K60-0562, K60-0563 Reference:
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
PCRU Uninterruptible Should loss of AC power Low / No output The software monitors for a loss No effect. 3
Power Supply occur, provides of power from the UPS via tag
(UPS) uninterrupted power to the Room_ups_power_OK. Should
Operators Supervisor loss of power occur, the software
Control Safety PLC. will turn on the “power fault”,
causing the permissives to be
removed, halting hoist and bridge
PCRB Battery Provides backup power in No output The software monitors the battery No effect. 3
event of failure of UPS. power status via tag
Room_ups_battery_OK. Should
loss of battery power occur, the
software will turn on the “power
fault”, causing the permissives to
be removed, halting hoist and
PPS Power Supply (PLC) PLC power supply, converts Low / No output Loss of Operators Supervisor PLC No effect. 3
120 AC power to 5 VDC operations. Loss of crane
power for PLC operation. supervisory PLC “Permissive “ to
Mainline Control circuit. Loss of
permissive would cause the
mainline control circuit to open,
and turn-off the crane. Double
failure required.
375
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
High output Possible damage to PLC No effect. 3

components, and possible failure
of PLC. Loss of Operators
supervisory PLC “Permissive “ to
Mainline Control circuit. Loss of
permissive would cause the
mainline control circuit to open,
and turn-off the crane. Double
failure required.
PPP Controller Scans the inputs to the PLC No Output Loss of ability to process inputs No effect. 3
(Slot 0) (Also referred to as from the field devices and for monitoring of system
“Processor” or executes user written performance. The controller has
“CPU”) software based on the a built-in watchdog processor that
input values received. will detect failure of main CPU
and remove the hoist and bridge
The CPU also contains a & trolley permissive, halting crane
watchdog processor, which operation.
performs testing and
monitoring of the PLC. In This is a safety certified PLC with
case of certain faults, the internal checking.
watchdog switches all
outputs to the de-energized Multiple failures required.
state. The watchdog is also
tested by the controller.
The CPU also performs the

data communication
function.
376
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Unsolicited output
• “permissive” (enable) to Should the PLC erroneously No effect. 3
the Mainline Control remove the system permissives,
circuit (Line 640) that the crane will cease operation.
allows the operator to
“turn-on” the system.
Should the PLC erroneously issue No effect. 3
the permissive, there is no effect
as the Crane Supervisory PLC
also issues a permissive for the
hoist and bridge & trolley control
circuits, to allow the system to be
started. Even if both permissives
were issued, there would have to
be a critical failure in the system
as well, where the crane would be
allowed to operate with a
potentially critical failure. Triple
failure required.
Corruption of Data Should proper data be received No effect. 3

but corrupted internally due to a
memory failure or other
component failure, a potentially
critical failure could occur without
shutting down the system.
The PLC is a safety certified PLC,

which has self-checking capability
to detect internal failures.
377
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
PPAM Analog Input Receives inputs from the

(Slot 1) Module following devices:
Ch 1 & 10 • Monitors the Joystick Channel Fails High The PLC will detect an erroneous No effect. 3
Power Supply (JPS) high Joystick Power Supply (JPS)
output voltage. One output voltage (higher than there
second after the input actually is), and shut down the
signal from the crane.
energized mainline
contactor is received, the
PLC compares the
voltage to a minimum
and maximum allowed
value. If the voltage is
outside the allowed
range, the PLC will
remove its permissive,
halting crane operation.
Channel Fails Low The PLC will not detect a high No effect. 3
Joystick Power Supply (JPS)
output voltage, should it occur.
Requires additional failure of the
joystick power supply.
The PLC is safety certified, and is

capable of detecting internal
failures.
378
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 5 & 14 • Monitors the Hoist Channel Fails High The Operators Supervisory PLC No effect. 3
Joystick potentiometer would think the Hoist joystick
output voltage, which is potentiometer output voltage is
the speed reference for higher than it actually is. The PLC
the Hoist motor. Once a would compare the (erroneous
directional input is high) joystick voltage and Hoist
received, the PLC Secondary Motor Encoder output
compares the Hoist (which will be correct) and see
Secondary Motor they do not agree and will think
Encoder speed value to the Hoist motor is running slower
the commanded speed than commanded. The PLC will
from the Hoist joystick. not remove its permissive since
If the Secondary Motor the failure does not result in a
Encoder speed is greater speed greater than commanded.
than commanded, or is The system will operate normally.
the opposite polarity, the Failure would be undetectable.
PLC will remove its
permissive and halt
crane operation.
If neither direction is being No effect. 3
commanded, the PLC will check to
verify that the voltage present is
less than the minimum speed
voltage. If the voltage is greater
than the minimum speed voltage,
the PLC will remove its permissive
and halt crane operations.
379
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low The PLC would think the Hoist No effect. 3
joystick potentiometer output
voltage is lower than it actually is.
It would compare the (erroneous
low) joystick voltage and Hoist
Secondary Motor Encoder output
(which will be correct) and see
they do not agree and think the
hoist motor is running faster than
commanded. The PLC will
remove the hoists permissives,
even though the system is
operating normally.
Ch 7 & 16 • Monitors the Hoist float Channel Fails High The Operators Supervisory PLC No effect. 3
potentiometer output would detect Hoist joystick Float
voltage, which is the potentiometer output voltage is
speed reference for the higher than it actually is. The PLC
hoist motor in float compares the (erroneous high)
mode. Upon entering float potentiometer voltage and
Float Mode, the Hoist Secondary Motor Encoder
Operators Supervisory output (which will be correct) and
PLC compares the see they do not agree. The PLC
potentiometer voltage will detect the Hoist motor is
and secondary motor running slower than commanded.
encoder value. The PLC will remove its
permissive and halt crane
operations since the encoder
speed is not approaching the
expected commanded speed.
However, the system will be
operating normally.
380
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low The Operators Supervisory PLC No effect. 3
would detect the Hoist joystick
Float potentiometer output
low) float voltage and Hoist
Secondary Motor Encoder output
they do not agree and detect the
hoist motor is running faster than
remove its permissive and shut
down the crane, even though the
system is operating normally.
PPAM Analog Input Receives inputs from the
(Slot 2) Module following devices:
Ch 1 & 10 • Monitors the Bridge Channel Fails High The PLC would detect the bridge No effect. 3
Joystick potentiometer joystick potentiometer output
output voltage, which is voltage is higher than it actually
the speed reference for is. It would compare the
the Bridge motors. Once (erroneous high) joystick voltage
a directional input is and Bridge secondary motor
received, the PLC encoder output (which will be
compares the secondary correct) and see they are not in
encoder speed value to agreement and detect the motors
the commanded speed are running slower than
from the joystick. If the commanded. The PLC will not
secondary encoder remove its permissive since the
speed is greater that failure does not result in a speed
commanded or is the greater than commanded. The
opposite polarity, the system will operate normally.
PLC will remove its Failure would be undetectable.
permissive and halt
crane operation.
381
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low The PLC would detect the joystick No effect. 3
potentiometer output voltage is
lower than it actually is. It would
compare the (erroneous low)
joystick voltage and secondary
motor encoder output (which will
be correct) and see they are not
in agreement and detect the
motors are running faster than
down the crane even though the
system is operating normally.
Ch 3 & 12 • Monitors the Trolley Channel Fails High The PLC would detect the Trolley No effect. 3
Joystick potentiometer joystick potentiometer output
output voltage, which is voltage is higher than it actually
the speed reference for is. It would compare the
the Trolley motor. Once (erroneous high) joystick voltage
a directional input is and Trolley secondary motor
received, the PLC encoder output (which will be
compares the secondary correct) and see they are not in
encoder speed value to agreement and detect the Trolley
the commanded speed motor is running slower than
from the joystick. If the commanded. The PLC will not
secondary encoder remove its permissive since the
speed is greater that failure does not result in a speed
commanded or is the greater than commanded. The
opposite polarity, the system will operate normally.
PLC will remove its Failure would be undetectable.
permissive and halt
crane operation.
382
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low The PLC would detec the Trolley No effect. 3
joystick potentiometer output
low) joystick voltage and Trolley
they are not in agreement and
detect the motor is running faster
than commanded. The PLC will
down the crane even though it is
operating normally.
PPEM Encoder Module Receives inputs from the

(Slot 3) following devices:
(Sheet 35)
Ch 1 • Monitors the input from Erroneous High The software monitors the bridge No effect. 3
the Bridge Selsyn Erroneous Low Selsyn input via tag
Encoder Amplifier, which Bridge_disp_counter_value.
is indicating the speed
and direction of the The software subtracts the Selsyn
Bridge motor shaft and motor encoder values, and
rotation. takes the absolute value. It then
checks to see if the delta is
greater than an allowable value
(currently 0). If the delta is
greater than 0, a fault will be set
depending on the speed selected
(fine or coarse).
383
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Since the Selsyn and motor
encoder values should be the
same, whether the input fails high
or low, the effect is the same.
There would be a delta, which
would cause a
“bridge_fine_display_fault” or
“bridge_coarse_display_fault”,
and the SIS would remove the
Ch 2 • Monitors the input from Erroneous High The software monitors the trolley No effect. 3
the Trolley Selsyn Erroneous Low Selsyn input via tag
Encoder Amplifier, which Trolley_disp_counter_value.
is indicating the speed
and direction of the The software subtracts the Selsyn
Trolley motor shaft and motor encoder values, and
rotation. takes the absolute value. It then
(currently 0). If the delta is
greater than 0, a fault will be set
(fine or coarse).
Con’t next page
384
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
would cause a
“trolley_fine_display_fault” or
“trolley_coarse_display_fault”,
and the SIS would remove the
PPEM Encoder Module Monitors the input from the Erroneous High The software monitors the hoist No effect. 3
(Slot 4) (Analog Module) Hoist Selsyn Encoder Erroneous Low Selsyn input via tag
(Sheet 36) Amplifier, which is Hoist_disp_counter_value.
indicating the direction of
Ch. 1 the hoist motor shaft The software subtracts the Selsyn
rotation. and motor encoder values, and
takes the absolute value. It then
(currently 0, 25 for float). If the
delta is greater than 0 (or 25 for
float), a fault will be set
(fine, coarse or float).
Con’t next page
385
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
would cause a
“hoist_fine_display_fault”,
“hoist_coarse_display_fault”, or
“hoist_float_display_fault” and
the SIS would remove the hoist
operation.
PPIOM Discrete Input / Receives inputs from the

(Slot 5) Output Module following devices via relay
logic:
Inputs
Ch 1 Power out for use by I/O No output Should a fault occur on inputs 2-9 No effect. 3
channels 2-9 below, the SIS would not receive
the input.
Would also require a system

failure.
The SIS is a safety certified PLC

which means it has internal
failure monitoring. Should an
internal failure be detected, it
would cause the permissives to
be removed, halting crane
operation.
386
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Hoist Joystick
Ch 2 Raise Direction (HR) –
¾ Channel Fails High (On) This variable is true when the No effect. 3
relay HR is energized channel is high. Therefore, the
when the operator software would detect that a hoist
moves the hoist joystick raise command is being issued.
to the hoist raise
position. When relay HR This input is used for a number of
is energized, relay purposes in the software;
contact closes causing - sheet 13, pre-start check
the channel to go high, - sheet 16, hoist joystick direction
to indicate that Hoist contact & pot zero failure check
raise has been - sheet 18, used to update
commanded by the hoist_cmd_rpm
operator. and float_hold_fault
- sheet 21, hoist motor response
The software tag vs. command
associated with this input - sheet 22, hoist brake fault check
is hoist_jstick_raise.
The software function on sheet 16
Used in 6 locations in the checks for the presence of two
software (sheets 13, 16, simultaneous direction inputs. If
18, 21, 22) two directions are present, the
SIS will remove the hoist
operation.
Channel Fails Low (Off) Unable to raise the hoist. No effect. 3
387
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 3 Lower Direction (HL) –
¾ Channel Fails High (On) This variable is true when the No effect. 3
relay HL is energized channel is high. Therefore, the
when the operator software would detect that a hoist
moves the hoist joystick lower command is being issued.
to the hoist lower
position. When relay HL This input is used for a number of
is energized, relay purposes in the software;
contact closes causing - sheet 13, pre-start check
the channel to go high, - sheet 16, hoist joystick direction
to indicate that Hoist contact & pot zero failure check
lower has been - sheet 18, used to update
commanded by the hoist_cmd_rpm
operator. and float_hold_fault
- sheet 21, hoist motor response
The software tag vs. command
associated with this input - sheet 22, hoist brake fault check
is hoist_jstick_lower.
The software function on sheet 16
Used in 6 locations in the checks for the presence of two
software (sheets 13, 16, simultaneous direction inputs. If
18, 21, 22) two directions are present, the
SIS will remove the hoist
operation.
Channel Fails Low (Off) Unable to lower the hoist. No effect. 3
388
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 4 ¾ Hoist Brake Release (HT) Channel Fails High (On) The SIS PLC would have a No effect. 3
Used to operate the hoist in continuous input for float enable.
float mode. When the However, the foot pedal input
operator presses the brake must also be present, and the
release thumb switch on hoist speed select switch must be
the joystick, relay HT is in the “float” position.
energized, closing the relay
contact and causing the All three float permissives are on
channel to go high to one module. If the module failed
indicate that the operator with all inputs high, the SIS PLC
has requested the hoist would assume float operation had
brake be released. been commanded.
The software tag associated The SIS PLC is a safety certified

with this input is PLC with built in error detection.
hoist_brake_pbutton. If an internal failure occurred, the
PLC would set all outputs to zero,
with would cause the permissive
relays to de-energize, halting
crane operation.

required.
Channel Fails Low (Off) Unable to provide the required No effect. 3

enable to operate the hoist in
float mode.
389
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 5 ¾ Hoist foot switch for Channel Fails High (On) The SIS PLC would have a No effect. 3
“Float Mode” (HP) continuous input for float enable.
Used to operate the hoist in However, the joystick
float mode. When the thumbswitch input must also be
operator steps on the foot present, and the hoist speed
pedal, relay HP is select switch must be in the
energized, closing the relay “float” position.
contact and causing the
channel to go high to All three float permissives are on
indicate that the operator one module. If the module failed
has requested the hoist with all inputs high, the SIS PLC
brake be released. would assume float operation had
been commanded.
The software tag associated
with this input is The SIS PLC is a safety certified
hoist_foot_switch. PLC with built in error detection.
If an internal failure occurred, the
PLC would set all outputs to zero,
with would cause the permissive
relays to de-energize, halting
crane operation.

required.
Channel Fails Low (Off) Unable to provide the required No effect. 3

enable to operate the hoist in
float mode.
390
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 6 ¾ Hoist Float Raise Channel Fails High (On) Sheet 13 – performs a startup No effect. 3
direction (FR) – check to ensure the switch has
When the operator selects not failed closed. If the input is
“raise” on the Hoist Drive present at startup, a fault will be
Float Rotary Switch, relay detected, and the hoist will not be
FR is energized, closing a allowed to start up.
relay contact and causing
the channel to go high to Sheet 16 – checks that both float
indicate that the operator raise and float lower directions
has requested Float Raise are not both present at the same
hoist operation. time. If so, it will cause a fault
condition, resulting in the SIS
The software tag associated removing the hoist permissives,
with this input is halting hoist operation.
hoist_float_raise.
Sheet 18 – performs a check to
ensure that if either hoist motor
brake is released, there is a
direction command present. If
the float raise input failed high,
and one or both brakes failed
released, then the SIS would not
detect the failure. Either brake is
capable of holding the load. Prior
failure required to have the brake
fail to set.
Con’t next page
391
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Sheet 21 – a constant float raise
input would be provided to the
motor response vs. command
software function. Should
uncommanded float motion
occur, it would not be detected by
the SIS.

uncommanded float motion.
Channel Fails Low (Off) Unable to operate the hoist in No effect. 3

float raise.
Ch 7 ¾ Hoist Float Lower Channel Fails High (On) Sheet 13 – performs a startup No effect. 3
direction (FL) – check to ensure the switch has
When the operator selects not failed closed. If the input is
“lower” on the Hoist Drive present at startup, a fault will be
Float Rotary Switch, relay detected, and the hoist will not be
FL is energized, closing a allowed to start up.
relay contact and causing
the channel to go high to Sheet 16 – checks that both float
indicate that the operator raise and float lower directions
has requested Float Lower are not both present at the same
hoist operation. time. If so, it will cause a fault
condition, resulting in the SIS
The software tag associated removing the hoist permissives,
with this input is halting hoist operation.
hoist_float_lower.
Con’t next page
392
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Sheet 18 – performs a check to
ensure that if either hoist motor
brake is released, there is a
direction command present. If
the float lower input failed high,
and one or both brakes failed
released, then the SIS would not
detect the failure. Either brake is
capable of holding the load. Prior
failure required to have the brake
fail to set.
Sheet 21 – a constant float lower

input would be provided to the
motor response vs. command
software function. Should
uncommanded float motion
occur, it would not be detected by
the SIS.

uncommanded float motion.

float lower.
393
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 8 ¾ Hoist Hold Selected Channel Fails High (On) The SIS software, sheet 15, No effect. 3
(HHS) – checks for two simultaneous
When the operator selects inputs. If this input is high, when
“float” position on the Hoist either fine or coarse inputs go
Speed Select switch, relay high, the SIS will detect two
HHS is energized, closing simultaneous inputs, and detect
the relay contact and “hoist_speed_sel_fault”, causing
causing the channel to go the hoist permissives to be
high to indicate that the removed, and halting hoist
operator has requested operation.
hoist float mode operation.

with this input is
hoist_float_select.
float mode.
Ch 9 Hoist “Coarse” speed

¾ Channel Fails High (On) Sheet 15 - Checks for the No effect. 3
selected (HCS) – when presence of two simultaneous
the operator selects speed inputs. If any two speed
“coarse” position on the inputs are present, the SIS will
Hoist Speed Select remove the hoist permissives,
switch, relay HCS is halting hoist operation.
energized, closing the
relay contact and
causing the channel to Sheet 17 – selects a factor to
go high to indicate that perform a calculation to
the operator has determine the “hoist_cmd_rpm”,
requested coarse speed which is used in the “Motor
hoist operation. Response vs. command” function.
394
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
The software tag associated The software is written such that
with this input is if both coarse speed and fine
hoist_coarsespd_select. speed inputs are present, fine
speed will be selected.
Sheet 22 – no effect unless there

was a speed error between the
Selsyn and motor encoder. If fine
speed was selected, then two
faults would be detected.
Channel Fails Low (Off) SIS software, sheet 15, checks No effect. 3
for no speed inputs. If none of
the speed inputs are present, the
detect a “hoist_no_spd_sel_fault”
remove the hoists permissives
395
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 10 Power out for use by I/O

¾ No output Should a fault occur on inputs 11- No effect. 3
channels 11-18 18 below, the SIS would not
receive the input.
Would also require a system

failure.

operation.
Ch 11 Hoist “Fine” speed

¾ Channel Fails High (On) Sheet 15 - Checks for the No effect. 3
selected (HFS) – when presence of two simultaneous
the operator selects speed inputs. If any two speed
“Fine” on the Hoist inputs are present, the SIS will
Speed Select switch, remove the hoist permissives,
relay HFS is energized, halting hoist operation.
closing the relay contact
and causing the channel Sheet 17 – selects a factor to
to go high to indicate perform a calculation to
that the operator has determine the “hoist_cmd_rpm”,
requested slow speed which is used in the “Motor
hoist operation. Response vs. command” function.
396
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
The software tag The software is written such that

associated with this input if both coarse speed and fine
is hoist_finespd_select. speed inputs are present, fine
speed will be selected.
Sheet 22 – no effect unless there

was a speed error between the
Selsyn and motor encoder. If fine
detect a “hoist_no_spd_sel_fault”
remove the hoists permissives
397
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 12 Load Check On / Bypass Channel Fails High (On)
¾ The hoist load fault detection No effect. 3
(Keyed Switch) – When would be disabled. Should a load
closed, causes the fault occur, the SIS would not be
channel to go high, able to detect the failure and
providing an indication to remove the hoist permissives.
the Operators PLC that
the load check switch Would require a prior failure of
has been placed in the load cell or the output of the
bypass mode. HDPM torque value.
It disables the If a load cell / torque value failure

“hoist_load_fault” did occur, and it was not
detection function, since detected, if the load was being
it is used only in event of lifted, then motion in the opposite
a load cell failure. direction would be detected, or if
Permits lowering of the the load was being lowered,
load in event of a load speed greater than commanded
cell failure, without would be detected, and the SIS
tripping a fault. would remove the hoist
The software tag associated operation.
with this input is
load_check_bypass. Multiple failures required.
Channel Fails Low (Off) Unable to disable the No effect. 3

“hoist_load_fault”. Unable to
operate the hoist.
398
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Bridge Joystick
Ch 13 Bridge East Direction
¾ Channel Fails High (On) Sheet 13 - is a pre-start check to No effect. 3
(BE) – When the Bridge ensure the input is not present at
joystick is moved right, startup. If the channel fails high,
Relay BE is energized then the pre-start check will
which closes a relay cause a fault, and not allow the
contact, causing the crane to start.
channel to go high, to
indicate that Bridge east Sheet 16 – checks that for both
travel is requested by direction inputs (east & west)
the operator. being received at the same time.
If Bridge east is “on”, it verifies
The software tag associated that Bridge west is not “on”. If
with this input is both inputs are high, the PLC will
bridge_jstick_east. remove its permissive and halt
crane operations.
Also, used to check that the

bridge joystick potentiometer is in
the center off position. With
neither direction commanded,
there should be no output from
the potentiometer. If the
potentiometer should have a
“nonzero” output, the fault would
not be detected. Should
uncommanded motion occur, the
SIS would detect it.
399
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
which is capable of detecting
internal failures in the PLC.
Sheet 23 – Used to update the

“bridge_cmd_rpm” variable. If
east direction is commanded,
there would be no effect. If west
direction is commanded, then
both directions would be present
and the software on sheet 16
would detect both inputs present
and remove the permissive,
Sheet 24 – used by the “motor

response vs. command” software
function. If east direction is
commanded, there would be no
effect. If west direction is
commanded, then both directions
would be present and the
software on sheet 16 would
detect both inputs present and
remove the permissive, halting
400
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Sheet 25 – checks that a direction
command is present if the brake
is released. If east direction is
Channel Fails Low (Off) If neither direction is being No effect. 3

commanded, which would be the
case for a fails low condition, the
Operators Supervisory PLC checks
for a potentiometer value equal to
zero. If neither direction is
selected but a potentiometer
voltage is present, the PLC will
crane operation.
401
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 14 Bridge West Direction
(BW) – When the Bridge ensure the input is not present at
joystick is moved left, startup. If the channel fails high,
Relay BW is energized then the pre-start check will
indicate that Bridge west Sheet 16 – checks that for both
travel is requested by direction inputs (east & west)
the operator. being received at the same time.
If Bridge east is “on”, it verifies
The software tag associated that Bridge west is not “on”. If
bridge_jstick_west. remove its permissive and halt
crane operations.
bridge joystick potentiometer is in
“nonzero” output, the fault would
402
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
“bridge_cmd_rpm” variable. If
east direction is commanded,
there would be no effect. If west

function. If east direction is
403
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

is released. If east direction is

crane operation.
404
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 15 Bridge “Coarse” Speed
¾ Channel Fails High (On) Fine speed is the normal (default) No effect. 3
Selected (BCS) – When speed. The assumption would be
the operator selects that the operator was in coarse
coarse speed, relay BCS speed and has now selected fine
is energized, and closes speed, and both fine and coarse
a relay contact, which speeds inputs are high.
causes the channel to go
high, indicating the Sheet 15 - The PLC verifies that
operator has selected only one speed range is selected
fast speed for bridge at a time. If both speed range
operation. inputs are received, the PLC will
The software tag associated crane operations.
with this input is
bridge_coarsespd_select.
Sheet 23 - selects a factor to
perform a calculation to
determine the
“bridge_cmd_rpm”, which is used
in the “Motor Response vs.
command” function. The
software is written such that if
both coarse speed and fine speed
inputs are present, fine speed will
be selected. However, software
on sheet 15 checks for both
inputs present at the same time,
and will cause a fault to occur.
405
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Sheet 25 - no effect as long as
coarse speed is selected. If fine
However, software on sheet 15
checks for both inputs present at
the same time, and will cause a
fault to occur.
detect a
“bridge_no_spd_sel_fault” and
permissives, halting B&T
operation.
406
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 16 Bridge “Fine” Speed
¾ Channel Fails High (On) Fine speed is the normal (default) No effect. 3
Selected (BFS) – When speed. The assumption would be
the operator selects fine that the operator was in fine
speed, relay BFS is speed and has now selected
energized, and closes a coarse speed, and both fine and
relay contact, which coarse speeds inputs are high.
slow speed for bridge at a time. If both speed range
The software tag associated crane operations.
with this input is
bridge_finespd_select.
determine the
“bridge_cmd_rpm”, which is used
407
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

fine speed is selected. If coarse
speed is selected, then two faults
would be detected. However,
software on sheet 15 checks for
both inputs present at the same
time, and will cause a fault to
occur.
detect a
“bridge_no_spd_sel_fault” and
operation.
408
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 17 Bridge Brake Release
¾ Channel Fails High (On) Manual release of bridge brakes is N/A N/A
(BT) – when the Channel Fails Low (Off) not currently used.
operator presses the
brake release thumb
switch on the joystick,
relay BT is energized,
closing the relay contact
causing the channel to
go high, to indicate that
the operator has
requested the bridge
brakes be released.

with this input is
bridge_brake_pbutton.
Ch 18 Not used
Ch 19 Power out for use by I/O No output Should a fault occur on inputs 20- No effect. 3
channels 20-27 27 below, the SIS would not
receive the input. Would also
require a system failure.

operation.
409
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• Trolley Joystick
Ch 20 Trolley North Direction
(TN) – When the trolley ensure the input is not present at
joystick is moved left, startup. If the channel fails high,
Relay TN is energized then the pre-start check will
which closes 1 relay cause a fault, and not allow the
contact. The relay crane to start.
contact closes causing
the channel to go high, Sheet 16 – checks that for both
to indicate that trolley direction inputs (north & south)
north travel is requested being received at the same time.
by the operator. If Trolley north is “on”, it verifies
that Trolley south is not “on”. If
The software tag associated both inputs are high, the PLC will
with this input is remove its permissive and halt B
trolley_jstick_north. & T operation.
410
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
trolley joystick potentiometer is in
“non-zero” output, the fault would


“trolley_cmd_rpm” variable. If
north direction is commanded,
there would be no effect. If south
Con’t next page
411
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
function. If north direction is
effect. If south direction is

is released. If north direction is
effect. If south direction is
412
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

remove its permissive and halt B
& T operation.
Ch 21 Trolley South Direction

(TS) – When the trolley ensure the input is not present at
joystick is moved right, startup. If the channel fails high,
Relay TS is energized then the pre-start check will
indicate that trolley Sheet 16 – checks that for both
south travel is requested direction inputs (north & south)
by the operator. being received at the same time.
If Trolley south is “on”, it verifies
The software tag associated that Trolley north is not “on”. If
trolley_jstick_south. remove its permissive and halt B
& T operation.
Con’t next page
413
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

trolley joystick potentiometer is in
“non-zero” output, the fault would


“trolley_cmd_rpm” variable. If
south direction is commanded,
there would be no effect. If north
Con’t next page
414
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

function. If south direction is
effect. If north direction is

is released. If south direction is
effect. If north direction is
415
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
& T operation.
Ch 22 Trolley Brake Release

¾ Channel Fails High (on) Manual release of trolley brakes is N/A N/A
(TT) – when the operator Channel Fails Low (off) not currently used.
presses the brake
release thumb switch on
the joystick, relay TT is
energized, closing the
relay contact causing the
indicate that the
operator has requested
the Trolley brake be
released.

with this input is
trolley_brake_pbutton.
416
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 23 Trolley “Fine” Speed
¾ Channel Fails High (on) Fine speed is the normal (default) No effect. 3
Selected (TF) – When speed. The assumption would be
the operator selects fine that the operator ss in fine speed
speed, relay TFS is and selected coarse speed, and
energized, and closes a both fine and coarse speeds
relay contact, which inputs are high.
slow speed for Trolley at a time. If both speed range
operation. Fine speed is inputs are received, the PLC will
the default speed. remove its permissive and halt B
& T operation.
with this input is
trolley_finespd_select.
determine the
“trolley_cmd_rpm”, which is used
417
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
fine speed is selected. If coarse
occur.
Channel Fails Low (off) SIS software, sheet 15, checks No effect. 3
detect a
“trolley_no_spd_sel_fault” and
operation.
418
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 24 Trolley “Coarse” Speed

¾ Channel Fails High (on) Fine speed is the normal (default) No effect. 3
Selected (TC) – When speed. The assumption would be
the operator selects that the operator was in coarse
coarse speed, relay TCS speed and has now selected fine
is energized, and closes speed, and both fine and coarse
a relay contact, which speeds inputs are high.
fast speed for Trolley at a time. If both speed range
The software tag associated & T operation.
with this input is
trolley_coarsespd_select.
determine the
“trolley_cmd_rpm”, which is used
419
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method

coarse speed is selected. If fine
occur.
Channel Fails Low (off) SIS software, sheet 15, checks No effect. 3
detect a
“trolley_no_spd_sel_fault” and
operation.
Ch 25 • PES Control Room UPS Channel Fails High The Operators Supervisory PLC No effect. 3
Power OK – monitors the would not detect loss of AC power
operational status of the to the UPS should it occur. The
UPS. Channel is high as system would continue to operate
long as the UPS is OK. from Batteries. Loss of power to
Operators PLC would occur when
The software tag associated batteries are depleted. However,
with this input is battery failure indication would be
room_ups_power_ok. provided to Operators PLC.
Double failure required.
420
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low Erroneous indication of failure of No effect. 3

UPS. All crane permissives would
operations.
Ch 26 • PES Control Room UPS Channel Fails High The Operators Supervisory PLC No effect. 3
Battery OK - Monitors would not detect battery failure
the operational status of should it occur. The system
the battery, via the UPS. would continue to operate. Loss
Channel is high as long of power to Operators
as the battery is OK. Supervisory PLC would occur if
main AC power supply should fail.
The software tag associated Double failure required. All
with this input is permissives would be removed,
room_ups_battery_ok. which would halt all crane
operation.
Channel Fails Low Erroneous indication of failure of No effect. 3

battery. All crane permissives
would be removed, halting crane
operation.
421
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 27 Reset PES fault (keyed Channel Fails High (On) With the input failed high, should No effect. 3
switch) a fault occur, would not be able to
turn off the permissives, to halt
crane operation.
Would require a prior system

failure resulting in a fault.
Also, the SIS PLC’s are safety

certified, which means they have
internal failure checking. Should
the PLC detect an internal failure,
all outputs are turned off, which
would cause all system
Channel Fails Low (Off) Unable to reset the PLC after a No effect. 3
fault has occurred.
422
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Outputs Provides outputs to the
following devices:
Ch 29 • The CPU will turn on this Channel Fails High (On) Should the Operators Supervisory No effect. 3
output if the software PLC detect an out of tolerance
indicates all operating condition, it would not be able to
parameters are within remove the permissive by de-
specification, energizing energizing relay HCSP. The hoist
relay HCSP (Hoist Cab would continue to operate with a
Supervisory Permissive) failure.
providing an enable
(permissive) to the The Crane supervisory PLC also
mainline control circuit has a hoist permissive (HSP),
(line 640) to allow the which would be simultaneously
crane control circuit to operated to halt hoist operation.
“power up”.
Also, the SIS PLC’s are safety
Should a fault occur, this certified, which means they have
output will be turned off, internal failure checking. Should
causing the permissive the PLC detect an internal failure,
to be removed (de- all outputs are turned off, which
energize relay HCSP) would cause all system
and the hoist to cease permissives to be removed,
operation. halting crane operation.
The software tag associated Multiple failures required.

with this input is
pes_room_hoist_stop.
Channel Fails Low (Off) Unable to energize the No effect. 3
permissives relays, allowing the
Mainline Control Circuit to apply
power to the hoist circuit. Unable
to operate the hoist.
423
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
CH 31 • Illuminates indicator Channel Fails High (On) Light should go off if a fault is No effect. 3
lights in the crane cab to detected in the PLC. Light would
provide the operator not go off.
with an indication if the
PES is running with no In event of a fault, the PLC will
faults. Light is normally remove its permissives and halt
lit if everything is OK. crane operation.

with this input is
pes_run_no_fault.
Channel Fails Low (Off) Erroneous indication to the No effect. 3

operator of a fault in the
Ch 33 • Illuminates indicator light Channel Fails High (On) Erroneous indication to the No effect. 3
in the crane cab to operator that a fault has been
provide the operator detected by the Operators
with an indication if the Supervisory PLC.
PES has detected a fault.
Light is normally off.

with this input is
pes_detect_crane_fault.
424
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (Off) Should a failure be detected, the No effect. 3

operator would not be informed
by the light being lit. However, in
the event of a failure, the PLC will
shut down the crane by removing
its permissive.
Ch 35 • The CPU will turn on this Channel Fails High (On) Should the Operators Supervisory No effect. 3
output if the software PLC detect an out of tolerance
indicates all operating condition, it would not be able to
parameters are within remove the permissive by de-
specification, energizing energizing relay BCSP. The
relay BCSP (Bridge Cab bridge / trolley would continue to
Supervisory Permissive) operate with a failure.
providing an enable
(permissive) to the The Crane supervisory PLC also
mainline control circuit has a Bridge & Trolley permissive
(line 640) to allow the (BSP), which would be
crane control circuit to simultaneously operated to halt
“power up”. bridge & trolley operation.
Should a fault occur, this Also, the SIS PLC’s are safety
output will be turned off, certified, which means they have
causing the permissive to internal failure checking. Should
be removed (de-energize the PLC detect an internal failure,
relay BCSP) and the bridge all outputs are turned off, which
and trolley to cease would cause all system
operation. permissives to be removed,
with this input is Multiple failures required.
pes_room_travel_stop.
425
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (Off) Unable to energize the No effect. 3
permissives relays, allowing the
Mainline Control Circuit to apply
power to the bridge & trolley
circuit. Unable to operate the
bridge & trolley.
Ch 38 - 43 • Illuminates indicator Channel Fails High (On) Erroneous indication of hoist, No effect. 3
lights in the crane cab to Channel Fails Low (off) bridge or trolley travel.
provide the operator
with an indication of the
direction of travel of the
Hoist (Up / Down),
Bridge (East / West) and
Trolley (North / South).
426
SAA00029
Rev. A
Table 11. Electrical FMEA – Crane Supervisory PLC System Pages 427 to 458
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
PBU Uninterruptible Should loss of AC power Low / No output Should loss of power occur, the No effect. 3
Power Supply (UPS) supply occur, provides software would turn on the power
uninterrupted power to fault, causing all crane
the Crane Supervisor PLC. permissives to be removed and
UPS status is monitored halt crane operation.
by the Crane Sup. PLC,
slot 4 via tag
Bridge_Ups_Power_OK.
Also charges the battery.
PBUB Battery Provides backup power to No output Should the crane PLC quit No effect. 3
Crane Supervisory PLC in functioning, the hoist (HSP) and
event of loss of input AC bridge & trolley (BSP) permissives
power. would open, causing the hoist
mainline control and bridge &
Battery status is trolley mainline control circuits to
monitored by the Crane open, and halt crane operation.
Sup. PLC, slot 4, via tag Requires prior failure causing loss
Bridge_Ups_Battery_OK. of 60 Hz power.
Multiple failures required to allow

continued operation of the crane
without the crane supervisory PLC
operational.
427
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
PPS Power Supply (PLC) PLC power supply, Low / No output Loss of crane supervisory PLC for No effect. 3
converts 120 AC power to monitoring of system operation.
5 VDC power for PLC Should the crane PLC quit
operation. functioning, the hoist (HSP) and
bridge & trolley (BSP) permissives
would open, causing the hoist
trolley mainline control circuits to
open, and halt crane operation.

operational.
High output Possible damage to PLC No effect. 3

components, and possible failure
of PLC.
Loss of crane supervisory PLC for

monitoring of system operation.
Should the crane PLC quit
functioning, the hoist (HSP) and
bridge & trolley (BSP) permissives
would open, causing the hoist
trolley mainline control circuits to
open, and halt crane operation.
Con’t next page.
428
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
The supervisory PLC are safety
certified, which means they are
capable of detecting an internal
fault.

operational.
PPP Controller Scans the inputs to the No Output Loss of ability to process inputs No effect. 3
(Slot 0) (Also referred to as PLC from the field devices for monitoring of system
“Processor” or and executes user written performance. The controller has
“CPU”) software based on the a built-in watchdog processor that
input values received. will detect failure of main CPU
and remove the hoist and bridge
The CPU also contains a & trolley permissive, halting crane
watchdog processor, operation.
which performs testing
and monitoring of the This is a safety certified PLC with
PLC. In case of certain internal checking.
faults, the watchdog
switches all outputs to the Multiple failures required.
de-energized state. The
watchdog is also tested by
the controller.
The CPU also performs the

data communication
function.
429
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Unsolicited output
• “permissive” (enable) Should the PLC erroneously No effect. 3
(HSP) to the hoist remove the permissive, the hoist
Mainline Control circuit will cease operation.
(Line 638) that allows
the operator to “turn-
on” the hoist control
circuit.
as the Operator Supervisory PLC
also issues a permissive (HCSP)
to allow the hoist circuit to be
started.
Even if both permissives were
issued, there would have to be a
critical failure in the system as
well, where the hoist would be
allowed to operate with a
potentially critical failure.
The supervisory PLC is safety

fault.
430
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
• “permissive” (enable) Should the PLC erroneously No effect. 3
(BSP) to the hoist remove the permissive, the
Mainline Control circuit bridge & trolley will cease
(Line 642) that allows operation.
the operator to “turn-
on” the bridge & trolley
control circuit.
as the Operator Supervisory PLC
also issues a permissive (BCSP)
to allow the bridge & trolley
control circuit to be started.
Even if both permissives were

issued, there would have to be a
critical failure in the system as
well, where the bridge or trolley
would be allowed to operate with
a potentially critical failure.

fault.
431
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Corruption of Data Should proper data be received No effect. 3
but corrupted internally due to a
memory failure or other internal
component failure, a potentially
critical failure could occur without
the Crane Supervisory PLC
removing the permissive to halt
system operation.
The PLC is safety certified and

performs its own error checking.
The PLC would detect a failure of
the module to operate correctly.
432
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
PPAM Analog Input Module Receives inputs from the
(Slot 1) (Sheet 31) following devices:
Used as a 4 channel
differential input
configuration
Input 1 • Monitors the output Channel Fails High Erroneous load cell weight would No effect. 3
voltage from the Load Channel Fails Low be provided to the Supervisory
Cell, indicating the PLC software. The software
weight of the load on compares the load cell input with
the hook. the input from the Hoist Drive
Power Module (HDPM). If the
The software monitors difference between the two values
the load cell input via is not less than 10% of the rated
tag Load_cell_pin. load when either load value is
above 10% of the rated load,
both Supervisory PLC’s
permissives (HSP & HCSP) will be
removed, halting hoist operation.
Bridge and Trolley will continue to
be operational.
fault.
433
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Input 2 • Monitors the Hoist Channel Fails High Erroneous motor torque value No effect. 3
Motor torque value as Channel Fails Low would be provided to the
supplied from the Hoist Supervisory PLC software. The
Drive DC Power software compares the load cell
Module (HDPM) T100 input with the input from the
board. Hoist Drive Power Module
(HDPM). If the difference
The software monitors between the two values is not
the hoist drive torque less than 10% of the rated load
input via tag when either load value is above
Hoist_drive_load_trq. 10% of the rated load, both
Supervisory PLC’s permissives
(HSP & HCSP) will be removed,
halting hoist operation. Bridge
and Trolley will continue to be
operational.
fault.
434
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Input 3 • Monitors the Hoist Channel Fails High The Supervisory PLC compares No effect. 3
Motor tachometer Channel Fails Low the direction and speed of both
speed. A voltage of the Drum Tachometer and Motor
100 VDC/ 1000 RPM is Tachometer inputs. If the
supplied from the Hoist difference in values is not less
Motor Tachometer than 10% of full speed, both hoist
Isolator (HMTI). permissives (HSP & HCSP) are
removed, and hoist operation is
The software monitors stopped and emergency drum
the hoist motor tach brake is set.
input via tag
Hoist_motor_tach. Bridge and Trolley will continue to
be operational.
fault.
Input 4 • Monitors the Hoist Channel Fails High The Supervisory PLC compares No effect. 3
Drum tachometer Channel Fails Low the direction and speed of both
speed. A voltage of the Drum Tachometer and Motor
100 VDC/ 1000 RPM is Tachometer inputs. If the
supplied from the Hoist difference in values is not less
Drum Tachometer than 10% of full speed, both hoist
Isolator (HDTI). permissives (HSP & HCSP) are
removed, and hoist operation is
The software monitors stopped and emergency drum
the hoist drum tach brake is set.
input via tag
Hoist_drum_tach. Bridge and Trolley will continue to
be operational.
435
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
fault.
All channels fail high This is a safety certified PLC. The No effect. 3
All channels fail low PLC has monitoring to detect
failure of the modules.
PPEM Encoder Module Receives inputs from the

(Slot 2) (Analog Input following devices:
Module)
(Sheet 30)
Input 1 • Monitors the input from Channel Fails High The trolley motor encoder data is No effect. 3
the “PES” Trolley Channel Fails Low compared with the trolley Selsyn
Encoder Amplifier data. If they do not agree, the
(PTEA), which is supervisory PLC’s will remove
providing the Trolley both bridge & trolley permissives
Secondary Motor (BSP & BCSP), halting bridge &
Encoder data, trolley operation.
indicating the speed
and direction of the Con’t next page
Trolley motor shaft
rotation.
436
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
The software monitors the It is also used in the motor
Trolley Secondary motor response vs. command function.
encoder input via tag The secondary joystick
Trolley_enc_counter_ potentiometer input is converted
value. to a rpm value and compared
with the secondary motor
encoder value. If they do not
agree, a fault is generated,
causing the bridge & trolley
halting B & T operation.
fault.
Hoist will remain operational.

Input 2 • Monitors the input from Channel Fails High The bridge motor encoder data is No effect. 3
the “PES” Bridge Channel Fails Low compared with the bridge Selsyn
Encoder Amplifier data. If they do not agree, the
(PBEA), which is supervisory PLC’s will remove
providing the Bridge both bridge & trolley permissives
Secondary Motor (BSP & BCSP), halting bridge &
Encoder data, trolley operation.
indicating the speed
and direction of the Con’t next page
Bridge motor shaft
rotation.
437
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
The software monitors the It is also used in the motor
Bridge Secondary motor response vs. command function.
encoder input via tag The secondary joystick
Bridge_enc_counter potentiometer input is converted
_value. to a rpm value and compared
with the secondary motor
encoder value. If they do not
agree, a fault is generated,
causing the bridge & trolley
halting B & T operation.
fault.
Hoist will remain operational.
438
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
PPEM Encoder Module • Monitors the input from Channel Fails High The hoist motor encoder data is No effect. 3
(Slot 3) (Analog Input the “PES” Hoist Channel Fails Low compared with the hoist Selsyn
Module) Encoder Amplifier data. If they do not agree, the
(Sheet 31) (PHEA), which is supervisory PLC’s will remove
providing the Hoist both hoist permissives (HSP &
Input 1 Secondary Motor HCSP), halting hoist operation.
Encoder data,
indicating the speed It is also used in the motor
and direction of the response vs. command function.
Hoist motor shaft The secondary joystick
rotation. potentiometer input is converted
to a rpm value and compared
The software monitors with the secondary motor
the Hoist Secondary encoder value. If they do not
motor encoder input via agree, a fault is generated,
tag causing the hoist permissives to
Hoist_enc_counter be removed, halting hoist
_value. operation.

fault.
The bridge & trolley will remain

operational.
Input 2 Not used N/A N/A N/A N/A
439
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
PPIOM Digital Input / Receives inputs from the
(Slot 4) Output Module following devices via relay
(Sheet 30) logic:
Ch 1 Power out for use by I/O No output Loss of the below functions for No effect. 3
channels 2-9 slot 4.
The Crane Sup. PLC is a safety

certified PLC with built-in test
capabilities. Should an internal
failure be detected, it set all
outputs to zero, which would
cause all permissives to be
removed, halting crane operation.
Inputs
Ch 2 (line 3033) • Hoist Brake 1 Contactor Channel Fails High (On) Erroneous indication that Hoist No effect. 3
(HB1C) – Provides Brake #1 has been released. The
indication that Hoist software checks that both brakes
Brake 1 contactor are set if no motion is
(HB1C) has been commanded. The PLC would
energized to release detect a brake release with no
hoist brake #1. direction command input. The
software will generate a “hoist
The software monitors brake fault”, halting hoist
the hoist brake #1 operation.
status via tag
Hoist_Brake_1
_Contactor.
440
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (Off) Should hoist brake #1 be No effect. 3
released, the input would not be
provided to the PLC. The SIS
software would believe the brake
is set when it is released.
The hoist brake fault would not be

detected.

the load.
Should the other brake fail, other

functions in the SIS software
motion.

fault, which would set all outputs
to zero, which would remove all
crane permissives, halting crane
operation.
441
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 3 (line 3033) • Bridge Brake Contactor Channel Fails High (On) The bridge brake has been No effect. 3
(BBC) – Provides Channel Fails Low (Off) assessed as non-critical for
indication that Bridge setting or inadvertent release.
Brake contactor (BBC) See ground rule g.
has been energized to
release the bridge
brake.
Used to ensure that the

brake is set if no bridge
motion is commanded.
The software monitors

the bridge brake status
via tag Bridge_Brake
_Contactor.
Ch 4 (Line 3034) • Trolley Brake Contactor Channel Fails High (On) The bridge brake has been No effect. 3
(TBC) – Provides Channel Fails Low (Off) assessed as non-critical for
indication that Trolley setting or inadvertent release.
Brake contactor (TBC) See ground rule g.
has been energized to
release the trolley
brake.
Used only to ensure

that the brake is set if
no trolley motion is
commanded.

the Trolley brake status
via tag Trolley_Brake
_Contactor.
442
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 5 (Line 3034) • PES Bridge UPS Power Channel Fails High (On) The Crane Supervisory PLC would No effect. 3
OK – monitors the not detect loss of AC power to
operational status of UPS should it occur. The system
the UPS. Channel is would continue to operate from
high as long as the UPS Batteries. Loss of power to Crane
is OK. PLC would occur when batteries
are depleted. However, battery
The PLC will remove all failure indication would be
system permissives provided to Crane PLC. Double
upon this channel going failure required.
low.
Should PLC failure occur, the
The software monitors outputs would go to zero, which
the UPS power status would cause loss of the
via tag permissives, halting crane
Bridge_UPS_Status_OK operation.
Channel Fails Low (Off) The software will generate a No effect. 3

power fault, which turns off all
system permissives, halting all
crane operation.
443
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 6 (Line 3035) • Hoist Mainline Contactor
– Provides an indication
via relay CM1R that the
hoist mainline circuit
has been energized,
providing power to the
hoist motor and
controls.

the Mainline contactor
status via tag CCR2.
Software uses this

input for four purposes:
Sheet 13 – Performs a Channel Fails High (On) No effect. Software function No effect. 3
pre-start check to detect would perform normally.
that if there are any hoist
joystick or float direction
inputs present (due to
contact failure) at initial
start-up of the crane.
Sheet 14 - Performs a No effect. Software function No effect. 3

pre-start check to detect if would perform normally.
either float enable (foot
pedal or thumbswitch)
input is present at initial
444
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Sheet 14 – Performs a No effect. Software function No effect. 3

pre-start check to ensure would perform normally.
that the joystick power
supply voltage is within
the required range at
start-up.
Sheet 15 – Performs a No effect. Software function No effect. 3

check during crane would perform normally.
operation that no two
hoist speed commands The SIS PLC is a safety certified
are simultaneously PLC, which has built-in internal
present as long as relay error checking. In event of a
CCR2 is energized. detected failure, the PLC sets all
outputs to zero, which would de-
energize the permissive relays,
causing the crane to halt
operation.
Channel Fails Low (Off) Sheet 13 - No effect. 3

Unable to detect if a hoist joystick
or float direction input is present
upon startup (a contact failure).
Potential for unexpected hoist
motion to occur.
Con’t next page
445
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
However, the joystick has a

contact that is closed when the
joystick is in the center “off”
position, which provides an
enable to energize main contactor
CCR1. If the joystick, or float
rotary switch, were truly off
center, the enable would not be
present to energize relay CCR1 to
start the crane.
Therefore, even though a

direction command would be
present, there would be no speed
command (voltage) from the
potentiometers, or power to the
crane. Motion would not occur
without multiple failures.
The SIS PLC is a safety certified

PLC, which has built-in internal
error checking. In event of a
detected failure, the PLC sets all
operation.
446
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Sheet 14 - No effect. 3
Unable to detect if a hoist foot
switch or hoist joystick thumb
switch input is present upon
startup (a contact failure).
Potential for unexpected hoist
motion to occur.
However, to enable float mode

also requires the hoist speed
select switch to be in the “float”
position, as well as a speed and
direction input from the hoist float
rotary switch.

operation.
Sheet 14 – No effect. 3
The function will still work via
relay CM2 contact.
447
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Unable to detect if multiple hoist
speed inputs are present.
Would require additional failure of

the hoist control system to have
multiple speed control inputs, as
well as failure of the SIS to detect
an internal failure.

operation.
Ch 7 (Line 3036) • PES Bridge UPS Battery Channel Fails High (On) The PLC would have a constant No effect. 3
OK - Monitors the indication that the UPS battery
operational status of power is OK, even if it is not.
the battery, via the
UPS. Channel is high The Crane Supervisory PLC would
as long as the battery is not detect battery failure should it
OK. occur. The system would
continue to operate. Loss of
The software monitors the power to Crane Supervisory PLC
battery status via tag would occur if main AC power
Bridge_Ups_Battery_OK. supply should fail. Double failure
required. All permissives would
be removed, which would halt all
crane operation.
448
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (Off) The software will generate a No effect. 3

power fault, which will cause all
crane permissives to be removed,
Ch 8 (Line 3036) • Hoist Brake 2 Contactor Channel Fails High (On) Erroneous indication that Hoist No effect. 3
(HB2C) – Provides Brake #2 has been released. The
indication that Hoist software checks that both brakes
Brake 2 contactor are set if no motion is
(HB2C) has been commanded. The PLC would
energized to release detect a brake release with no
hoist brake #2. direction command input. The
software will generate a “hoist
The software monitors the brake fault”, halting hoist
hoist brake #2 status via operation.
tag Hoist_Brake_2
_Contactor.
449
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (Off) Should hoist brake #2 be No effect. 3
released, the input would not be
provided to the PLC. The SIS
software would believe the brake
is set when it is released.
The hoist brake fault would not be

detected.

the load.
Should the other brake fail, other

functions in the SIS software
motion.

failure, which would set all
remove all crane permissives,
450
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Ch 9 (Line 3037) • Bridge & Trolley
Mainline Contactor –
Provides indication that
bridge & trolley
mainline power circuit
has been energized.

the power contactor
status via tag
travel_main_Contactor.
Used for four software

functions.
Sheet 13 - Performs a Channel Fails High (On) Sheet 13 - No effect. Software No effect. 3
pre-start check to detect if function would perform normally.
there are any bridge or
trolley joystick direction
inputs present (due to
contact failure) at initial
Sheet 14 - Performs a Sheet 14 - No effect. Software No effect. 3

pre-start check to ensure function would perform normally.
that the joystick power
supply voltage is within
the required range at
start-up.
451
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
check during crane function would perform normally.
operation that both bridge
speed commands are not
simultaneously present as
long as relay CM2 is
energized.

check during crane function would perform normally.
operation that both trolley
speed commands are not The supervisory PLC is safety
simultaneously present as certified, which means they are
long as relay CM2 is capable of detecting an internal
energized. failure, which would set all
remove all crane permissives,
Channel Fails Low (Off) Sheet 13 - No effect. 3

Unable to detect if a bridge or
trolley joystick direction input is
present upon startup (a contact
failure). Potential for unexpected
bridge or trolley motion to occur.
Con’t next page
452
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
However, the joystick has a
contact that is closed when the
joystick is in the center “off”
position, which provides an
enable to energize main contactor
CCR1. If the joystick were truly
off center, the enable would not
be present to energize relay CCR1
to start the crane.
Therefore, even though a

direction command would be
present, there would be no speed
command (voltage) from the
potentiometers, or power to the
crane. Motion would not occur
without multiple failures.

failure, the PLC sets all outputs to
zero, which would de-energize
the permissive relays, causing the
crane to halt operation.
The function will still work via
relay CCR2 PLC input.
453
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Unable to detect if both bridge
speed inputs are simultaneously
present.

the bridge control system to have
both speed control inputs, as well
as failure of the SIS to detect an
internal failure.
The Bridge & Trolley PLC software

is written such that if both inputs
are present, fine speed will take
precedence.

operation.
454
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Unable to detect if both trolley
speed inputs are simultaneously
present.

the trolley control system to have
both speed control inputs, as well
as failure of the SIS to detect an
internal failure.
The Bridge & Trolley PLC software

is written such that if both inputs
are present, fine speed will take
precedence.

operation.
Ch 10 – 27 Currently not used N/A N/A N/A N/A
455
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Outputs
Ch 29 • The CPU will turn on Channel Fails High (On) The Crane supervisory PLC would No effect. 3
this output if the not be able to halt bridge & trolley
software indicates all operation in the event of a
operating parameters detected condition that requires
monitored by the PLC halting operation.
are within specification,
energizing relay BSP The Operators Supervisory PLC
(Bridge Supervisor also has a bridge & trolley
Permissive) providing permissive (BCSP) that will be
an enable (permissive) removed as well if a fault is
to the bridge & trolley detected.
mainline control circuit
(line 642) to allow
bridge & trolley
operation.
The PLC will turn off the Additionally, the Crane
output if a condition supervisory PLC is a safety
outside the allowable certified PLC with internal error
limits is detected. When checking ability. When an
the output is turned off, it internal failure is detected, all
will de-energize relay BSP, outputs are turned off, causing
which will remove the the permissive relays to de-
“permissive” to the bridge energize, halting all crane
& trolley mainline control operation. Multiple failures
circuit, causing the bridge required.
& trolley to halt operation.
456
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
Channel Fails Low (Off) Unable to energize relay BSP, No effect. 3

which would provide the
“permissive” to the bridge &
trolley mainline control circuit to
allow bridge & trolley operation.
Unable to operate the bridge &
trolley.
Ch 30 • The CPU will turn on Channel Fails High (On) The Crane supervisory PLC would No effect. 3
this output if the not be able to halt hoist operation
software indicates all in the event that a hoist failure
operating parameters occurs.
are within specification,
energizing relay HSP The Operators Supervisory PLC
(Hoist Supervisor also has a hoist permissive
Permissive) providing (HCSP) that will be removed as
an enable (permissive) well if a hoist fault is detected.
to the hoist control
circuit (line 638) to
allow hoist operation.
457
SAA00029
Rev. A
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
The PLC will turn off the Additionally, the Crane

output if a condition supervisory PLC is a safety
outside the allowable certified PLC with internal error
limits is detected in hoist checking ability. When an
operation. When the internal failure is detected, all
output is turned off, it will outputs are turned off, causing
de-energize relay HSP, the permissive relays to de-
which will remove the energize, halting all crane
“permissive” to the hoist operation. Multiple failures
mainline control circuit, required.
causing the hoist to halt
operation.
Channel Fails Low (Off) Unable to energize relay HSP, No effect. 3

which would provide the
“permissive” to the hoist mainline
control circuit to allow hoist
operation. Unable to operate the
hoist.
No effect on bridge & trolley

operation.
Output channels Not currently used N/A N/A N/A N/A

31-45
458
SAA00029
Rev. A
Table 12. Electrical FMEA – Air Conditioning Pages 459 to 459
a. Failure Mode
b. Cause
c. FMN
d. Detection Method
None AC Unit Supplies heating and Fails to maintain required Critical system components have No effect. 3
cooling as required to the temperature thermal devices that will open in
equipment cabinets event of an overheat condition to
prevent erroneous system
operation.
Multiple failures required. AC

failure, system failure and
supervisory monitoring failure.
459
SAA00029
Rev. A
Table 13. Flexhose FMEA – Emergency Brake Pages 460 to 460
System/Subsystem: 200-Ton RPSF Bridge Crane / Emergency Drum Brake Drawing No.: 79K27158
Find No. Inside Max Oper/Proof/ Bend Failure Effect On
Qty MFG Name Fluid Dia. Burst Pressure Radius System Performance, Vehicle Systems, Crit
NASA Part No. MFG Part No. Material Media (in.) (psig) (in.) And/Or Personnel Safety Cat
None Aeroquip AQP / Hydraulic Oil 0.5 4,250 / 14,000 7 Improper expulsion of fluid media potentially 2
7 FC195-08 Elastomer resulting in flight hardware damage.
None
None Aeroquip AQP / Hydraulic Oil 0.25 5,000 / 20,000 3 Improper expulsion of fluid media potentially 2
7 FC510-04 Elastomer resulting in flight hardware damage.
None
15 Flexhose is used for bleeding the emergency 3

1 / piston brake system. Should the flexhose rupture
6 / Crane during system operation, loss of hydraulic
(12 total) pressure would cause the emergency drum
brake to set. A drip pan is underneath the
emergency drum brake to catch any fluid.
Rupture of the flexhose would result in a delay
of operations.
460
SAA00029
Rev. A
4.3 COMPUTER INTERFACE ANALYSIS

This system does not use an LPS, INCS, or KCCS computer interface for control and/or monitoring of critical
system functions identified in Section 4.1.
4.3.1 LAUNCH COMMIT CRITERIA (LCC) AND GROUND LAUNCH SEQUENCER (GLS)
COMPATIBILITY REVIEW
This system is not utilized during the launch countdown; therefore, no LCC and GLS Compatibility Reviews
are required.
4.3.2 EMERGENCY (HARDWIRE) SAFING ANALYSIS

There is no emergency (hardwire) safing associated with this system.
461
SAA00029
Rev. A
Appendix A. FAULT TREE AND HAZARD ANALYSIS
The Fault Tree Analysis, Hazard Analysis Worksheets follow.
The Hazard Reports associated with this system are listed below.
Shuttle Hazard Reports
Hazard Report No. Title
LL-0004 Inadvertent ignition of a SRM in the RPSF
To view Hazard Reports, follow the path; USA Intranet Home Page - Data Warehouse (ADAM) – WebPCASS
Industrial Hazard Reports
Hazard Report No. Title
LL-0012 Personnel required to perform work while beneath suspended loads during flight
hardware processing at KSC / DFRF / CLS / VAFB
To view Hazard Reports, follow the path; USA Intranet Home Page – Departments – Mission Assurance, KSC – System
Safety Engineering
SAA00029
Rev. A
Relex Software Report
Loss of life, Loss (damage)

of SRB segment, Injury to
personnel
G001
Loss of life, loss (damage)

Injury to personnel
of SRB segment
G002 G003
From Page 2 From Page 3
Figure 14. 200-Ton RPSF Bridge Crane Fault Tree
A-1
SAA00029
Rev. A
Loss of life, loss (damage)

of SRB segment
G002
To Page 1
Inadvertent ignition of a Inadvertent ignition of a Failure to perform required Failure to wear fall
Structural failure of the RPSF Crane control or
SRM segment due to SRM segment due to static inspections, maintenance protection equipment when
crane system failure
dropping the load discharge and tests required
G004 E001 E002 G006 E010 E099
A-2
SAA00029
Rev. A
Injury to personnel
G003
To Page 1
Failure to wear safety Personnel contact with Exposure to laser radiation

equipment while performing energized equipment during (Bridge skew alignment
maintenance maintenance system)
E003 E004 E005
A-3
SAA00029
Rev. A
Inadvertent ignition of a
SRM segment due to
dropping the load
G004
To Page 2
Dropping the load due to a Structural failure of the

Wire rope failure Hoist brake failure
gearbox failure hook
G007 E006 G008 G009
Emergency drum brake fails

200-ton hoist gearbox
to set during a gearbox
failure
failure
G010 E098
From Page 6
A-4
SAA00029
Rev. A
RPSF Crane control or

system failure
G006
To Page 2
Erroneous operation of the Erroneous operation of the

Erroneous operation of
bridge or trolley due to a hoist due to a control or
crane due to EMI effects
control or system failure system failure
G018 G019 E019
A-5
SAA00029
Rev. A
200-ton hoist gearbox

failure
G010
To Page 4
Failure to perform required

Gear failure Shaft breaks Key shears inspections, maintenance
and tests
E007 E008 E009 E010
A-6
SAA00029
Rev. A
Wire rope failure
G008
To Page 4
Hoist two blocks, breaking

Reverse winding of the Structural failure of wire
the wire rope, dropping the
wire rope occurs rope
load
G012 G013 G130
From Page 11
Hoist continues upward Failure to cease hoist

Limit switch failure Limit switch failure
travel downward travel
G014 G015 G017 E016
Hoist Weighted Limit

Hoist control or system Hoist geared limit switch Hoist control or system
Operator error Switch (HWLS) fails to open Operator error
failure failure failure
(fails closed)
E012 G022 G016 E013 G022 E012
Hoist Geared Upper Limit

Relay HUS contact fails
Switch (HGULS) fails to
closed
open (fails closed)
E014 E015
A-7
SAA00029
Rev. A
Hoist brake failure
G009
To Page 4
Failure of primary hoist Failure of redundant hoist

holding brake holding brake
E017 E018
A-8
SAA00029
Rev. A
Erroneous operation of the

bridge or trolley due to a
control or system failure
G018
To Page 5
Failure to halt system

Bridge or Trolley control or
operation in event of a
system failure
G020 G021
A-9
SAA00029
Rev. A
Erroneous operation of the

hoist due to a control or
system failure
G019
To Page 5

Hoist control or system
failure
G022 G023
From Page 25
Failure of SIS to remove

Failure of SIS to detect
hoist permissives in event
system failure
of a system failure
G124 G125
Failure to remove
Failure to remove Crane
SIS PLC hardware failure SIS PLC software error Operators Supervisory PLC
Supervisory PLC permissive
permissive
E020 E021 G126 G127
Crane Supervisory PLC fails Crane Supervisory PLC Operators Supervisory PLC Operators Supervisory PLC
to de-energize permissive permissive relay HSP fails fails to de-energize permissive relay HCSP fails
relay HSP closed permissive realy HCSP closed
G128 E133 G129 E136
SIS PLC hardware failure SIS PLC software error SIS PLC hardware failure SIS PLC software error
E020 E021 E020 E021
A-10
SAA00029
Rev. A
Structural failure of wire

rope
G130
To Page 7
Structural failure of north Structural failure of south

wire rope wire rope
E011 E024
A-11
SAA00029
Rev. A
Bridge or Trolley control or

system failure
G020
To Page 9
Bridge control or system Trolley control or system

failure failure
G024 G025
A-12
SAA00029
Rev. A

G021
To Page 9
SIS Supervisory system Failure of the E-Stop

fails to detect or react to a circuit to halt system
system failure operation when pressed
G026 G027
From Page 31
Loss of power to E-Stop

circuit, rendering E-Stop Failure of E-Stop pendant
inoperable
E139 E140
A-13
SAA00029
Rev. A
Bridge control or system

failure
G024
To Page 12
Bridge operates in a
Bridge operates at a speed Bridge fails to cease Bridge has uncommanded
direction other than Bridge exceeds travel limits
greater than commanded operation when commanded motion
commanded
G070 G071 G072 G073 G074
From Page 16 From Page 32 From Page 18 From Page 19
SIS Supervisory system

Bridge electrical control
fails to detect or react to a
system failure
system failure
G085 G026
From Page 31
Both BDPM internal failure Bridge & Trolley PLC failure

Joystick directional
Directional relay failure cause motion in wrong causes motion in the wrong
contact failure
direction direction
E035 G086 G089 E037
From Page 17
BDPM1 internal failure BDPM2 internal failure

results in motion in the results in motion in the
wrong direction wrong direction
E081 E082
A-14
SAA00029
Rev. A
Trolley control or system

failure
G025
To Page 12
Trolley operates at a Trolley operates in a

Trolley fails to cease Trolley has undetected, Trolley exceeds travel
speed greater than direction other than
operation when commanded uncommanded motion limits
commanded commanded
G036 G037 G038 G039 G040
From Page 20 From Page 34 From Page 21 From Page 22
Electrical control system Trolley motor monitoring

failure system failure
G047 G048

Joystick directional Trolley secondary motor
Directional relay failure TDPM internal failure Trolley selsyn failure fails to detect or react to a
contact failure encoder failure
system failure
E035 G049 E036 E042 E043 G026
From Page 31
Trolley travels north when Trolley travels sough when

south direction is north direction is
commanded commanded
G050 G051
Trolley north relay, TN, Trolley south relay, TS, Trolley south relay, TS, Trolley north relay, TN,
contact fails closed contact fails open contact fails closed contact fails open
E038 E039 E040 E041
A-15
SAA00029
Rev. A
Bridge operates at a speed

greater than commanded
G070
To Page 14
Failure to detect speed

Speed control fails in
operation greater than
"coarse" speed mode
commanded
G075 G076
Fine / coarse speed select

Bridge motors operate Failure to detect
switch fails closed in Speed control relay failure
faster than commanded overspeed
"coarse" speed position
E028 G077 G078 G079
From Page 23
Internal failure in BDPM's

Potentiometer has high Bridge & Trolley PLC fails to
Relay BFS (Bridge Fine Relay BCS (Bridge Coarse causes bridge motors to
input to Bridge & Trolley control BDPM's speed
Speed) fails open Speed) fails closed operate at speed greater
PLC for control of BDPMs correctly
than commanded
E065 E066 E067 G080 E068
Bridge & Trolley PLC Bridge & Trolley PLC

hardware failure causes software failure causes
BDPM's to operate faster BDPM's to operate faster
than commanded than commanded
E069 E070
A-16
SAA00029
Rev. A
Directional relay failure
G086
To Page 14
Bridge travels west when Bridge travels east when

east direction is west direction is
commanded commanded
G087 G088
Bridge west relay (BW) Bridge east relay (BE) Bridge east relay (BE) Bridge west relay (BW)
contact fails closed contact fails open contact fails closed contact fails open
E077 E078 E079 E080
A-17
SAA00029
Rev. A
Bridge has uncommanded

motion
G073
To Page 14

Bridge electrical control
system failure
system failure
G095 G026
From Page 31
Erroneous speed and

Bridge & Trolley PLC failure BDPM inadvertent output
direction command
G054 E091 G096
From Page 33
Joystick failure Erroneous motion command
E053 G097
Both bridge joystick

potentiometers have Directional relay failure
non-zero output voltage
E093 G098
Bridge west relay (BW) Bridge east relay (BE)

contact fails closed contact fails closed
E077 E079
A-18
SAA00029
Rev. A
Bridge exceeds travel limits
G074
To Page 14
Bridge fails to cease

Stop limit swtich failure
operation when commanded
G099 G072
From Page 32
Bridge West travel stop Bridge East travel stop limit

limit switch fails closed switch fails closed
E096 E097
A-19
SAA00029
Rev. A
Trolley operates at a
speed greater than
commanded
G036
To Page 15
Failure to detect speed

Speed control fails in
operation greater than
"coarse" speed mode
commanded
G041 G042
Fine / coarse speed select

Trolley motor operates Failure to detect
faster than commanded overspeed
E028 G043 G044 G045
From Page 24
Speed potentiometer has TDPM internal failure

Bridge & Trolley PLC fails to Bridge & Trolley PLC failure
high input to Bridge & causes trolley motor to
Relay TFS fails open Relay TCS fails open control TDPM speed causes motion in the wrong
Trolley PLC for control of operate at speed greater
correctly direction
TDPM than commanded
E029 E030 E031 G046 E032 E037
Bridge & Trolley PLC Bridge & Trolley PLC

hardware failure causes software error causes
TDPM to operate faster TDPM to operate faster
than commanded than commanded
E033 E034
A-20
SAA00029
Rev. A
Trolley has undetected,

uncommanded motion
G039
To Page 15

Trolley electrical control
system failure
system failure
G058 G026
From Page 31
Erroneous speed and

Bridge & Trolley PLC failure TDPM inadvertent output
direction command
G054 E052 G059
From Page 33
E053 G060
Both trolley joystick

non-zero output voltages
E054 G061
Trolley north relay, TN, Trolley south relay, TS,

E038 E040
A-21
SAA00029
Rev. A
Trolley exceeds travel

limits
G040
To Page 15
Trolley fails to cease

Stop limit switch failure
G038 G063
From Page 34
North stop limit switch fails South stop limit switch

closed fails closed
E057 E058
A-22
SAA00029
Rev. A
Failure to detect
overspeed
G079
To Page 16
Speed potentiometer has high Failure of safety montoring

input to Operators Supervisory system (SIS) to detect
PLC (SIS), Slot 2, for monitoring bridge speed greater than
of bridge speed commanded
E071 G081

Speed detection failure fails to detect or react to a
system failure
G082 G026
From Page 31
Erroneous bridge
Erroneous bridge selsyn
secondary motor encoder
data
data
G083 G084
Crane supervisory PLC Operators supervisory PLC

Bridge motor secondary Bridge selsyn outputs
hardware failure corrupts hardware failure corrupts
motor encoder error erroneous data
encoder data selsyn data
E072 E073 E074 E075
A-23
SAA00029
Rev. A
Failure to detect
overspeed
G045
To Page 20
Speed potentiometer has high Failure of safety monitoring

input to Operators Supervisory system (SIS) to detect
PLC, slot 2 (SIS) for monitoring trolley speed greater than
of trolley speed commanded
E059 G064

Speed detection failure fails to detect or react to a
system failure
G065 G026
From Page 31
Erroneous trolley
secondary motor encoder Trolley selsyn error
data
G066 G067
Trolley secondary motor Crane supervisory PLC Operators supervisory PLC

Trolley Selsyn error
encoder error hardware failure hardware failure
E060 E061 E062 E063
A-24
SAA00029
Rev. A
Hoist control or system

failure
G022
To Page 10,7
Hoist operates in a Drop the load due to motor

Hoist operates at a speed Hoist fails to cease Hoist has uncommanded Erroneous entry into float
direction other than not developing adequate
greater than commanded operation when commanded motion mode
commanded torque
G100 G101 G102 G103 G104 G105
From Page 26 From Page 29 From Page 30
Hoist joystick fails to

Electrical control system Hoist motor monitoring Hoist motor fails to cease Erroneous speed and
return to the center "off" HDPM internal failure
failure system failure operation direction command
position
G111 G112 E120 G116 E113 G121
Hoist secondary motor HDPM fails to halt hoist Failure of hoist electrical
Hoist motor selsyn failure
encoder failure motor operation controls
E118 E119 E121 G117
Failure to remove direction Failure to remove speed

command command
G118 G119
Hoist joystick Hoist joystick

Hoist raise relay (HR) fails Hoist lower relay (HL) fails potentiometer output to potentiometer output to
closed closed the HDPM fails greater than the SIS PLC fails greater
0 volts than 0 volts
E114 E116 E124 E125
A-25
SAA00029
Rev. A
Hoist operates at a speed

greater than commanded
G100
To Page 25
Speed control fails in Hoist motor operates

"coarse" speed mode faster than commanded
G106 G108
Hoist joystick
Fine / Coarse speed select
potentiometer has high HDPM fails to control hoist
input to HDPM for hoist motor speed correctly
motor speed control
E107 G107 E110 E111
Hoist relay HFS fails open Hoist relay HCS fails closed
E108 E109
A-26
SAA00029
Rev. A
Electrical control system

failure
G111
To Page 25
Joystick directional
Directional relay failure HDPM internal failure
contact failure
E035 G113 E113
Hoist travels in up direction Hoist travels in down

when down direction is direction when up direction
commanded is commanded
G114 G115
Hoist raise relay (HR) fails Hoist lower relay (HL) fails Hoist lower relay (HL) fails Hoist raise relay (HR) fails
closed open closed open
E114 E115 E116 E117
A-27
SAA00029
Rev. A
Erroneous speed and

direction command
G121
To Page 25
E053 G122
Both hoist joystick

non-zero output voltage
E128 G123
Hoist raise relay (HR) fails Hoist lower relay (HL) fails
closed closed
E114 E116
A-28
SAA00029
Rev. A
Erroneous entry into float

mode
G104
To Page 25
Float enable switch

Float thumbbutton fails Float foot switch fails
contact fails closed on the
closed closed
hoist speed select swtich
E104 E105 E106
A-29
SAA00029
Rev. A
Drop the load due to motor

not developing adequate
torque
G105
To Page 25
Erroneous HDPM motor

Load cell failure torque value supplied to Motor tach failure Drum tach failure
SIS
E100 E101 E102 E103
A-30
SAA00029
Rev. A

system failure
G026
To Page 13,15,34,21,24,23,14,32,18
Supervisory system (SIS) SIS fails to remove

fails to detect system permissives in event of a
failure system failure
G030 G031
Failure to remove
Failure to remove Crane
SIS PLC hardware failure SIS PLC software error Operators Supervisory PLC
Supervisory PLC permissive
permissive
E020 E021 G032 G033
Crane supervisory PLC fails Crane supervisory PLC Operators Supervisory PLC Operators supervisory PLC
to de-energize permissive permissive relay BSP fails fails to de-energize permissive relay, BCSP, fails
relay BSP closed permissive relay BCSP closed
G034 E022 G035 E023
SIS PLC hardware failure SIS PLC software error SIS PLC hardware failure SIS PLC software error
E020 E021 E020 E021
A-31
SAA00029
Rev. A
Bridge fails to cease

G072
To Page 14,19
Bridge joystick fails to

Bridge motors fail to cease
return to the center "off"
operation
position
E085 G090

Bridge system failure fails to detect or react to a
system failure
G091 G026
From Page 31
BDPM's fail to halt bridge Failure of bridge electrical

Bridge & Trolley PLC failure
motors operation controls
E086 G054 G092
From Page 33

command command
G093 G094
Potentiometer output to B Potentiometer output to

Bridge west relay (BW) Bridge east relay (BE)
& T PLC fails (greater than the SIS fails (greater than
0 volts) 0 volts)
E077 E079 E050 E051
A-32
SAA00029
Rev. A
G054
To Page 34,21,32,18
B & T PLC module 6 or 7 B & T PLC module 2 or 4

failure (Direction) (Speed)
E046 E047
A-33
SAA00029
Rev. A
Trolley fails to cease

G038
To Page 15,22
Trolley joystick fails to

Trolley motor fails to cease
return to the center "off"
operation
position
E044 G052

Trolley system failure fails to detect or react to a
system failure
G053 G026
From Page 31
TDPM fails to halt trolley Failure of trolley electrical

motor operation controls
E045 G054 G055
From Page 33

command command
G056 G057
Potentiometer output to B Potentiometer output to

Trolley north relay, TN, Trolley south relay, TS,
& T PLC fails (greater than the SIS fails (greater than
0 volts) 0 volts)
E038 E040 E050 E051
A-34
SAA00029
Rev. A
Table 14. Hazard Analysis Worksheet – K60-0562, K60-0563 Pages A-35 to A-36
System/Subsystem: 200-Ton RPSF Bridge Crane Location: RPSF
Event Event Nomenclature (Hazard Cause) Hazard Cause Elimination / Control Verification
No.
E001 Inadvertent ignition of a SRM segment due to static NASA-STD-8719.9, Standard for Lifting Devices and Equipment, paragraph 4.2.7(i) Electrical,
discharge states that provisions for grounding the hook are required for handling explosives, solid
propellants, flammables, or any other load that requires a non-electrical or static-free
environment. Paragraph 4.8.1, Handling Explosives or Electro-Explosive Devices (EED’s),
paragraph 4.8.1.b(1) and (2), requires that voltage checks on the crane hook shall be
performed prior to start of operations, and the crane hook shall be connected to facility ground
before connecting to explosives or EED’s. OMI’s B5308 and B5309 requires voltage check prior
to lifting operations.
Maximo Job Plan S_ Q6322.01 requires a semi-annual stray voltage check. In addition, ground
cables are connected to the crane and load by personnel responsible for the load.
See Hazard Report LL-0004.
E002 Structural failure of the crane • NASA-STD-8719.9, Paragraph 4.2.2 Labeling / Tagging of Cranes, item a, requires the rated
load be clearly marked on the side of the crane, and shall be clearly legible from the ground
floor (OSHA requirement). The load lifted shall not exceed the rated load.
• NASA-STD-8719.9, Standard for Lifting Devices and Equipment, Paragraph 4.2.5 Structural,
requires that structural design shall be in accordance with industry standards (ASME and
CMAA) for material selection, welding, allowable stresses, design limitations, framing, rails,
wheels, and other structural elements.
• NASA-STD-8719.9, Paragraph 4.3.1 requires that prior to first use, a Proof Load Test will be
accomplished with a load as close as possible, but not to exceed, 1.25 times the rated load
(-5/+0 percent).
• NASA-STD-8719.9, Paragraph 4.3.2 requires that an annual load test will be performed with a
load equal to the rated load (+5/-0 percent). OMI Q6322 requires and performs an annual
load test.
Maximo Job Plan A_Q6322.01 performs an annual inspection for deformation or other signs of
damage at welded and bolted connections. Check structural members for deformation, cracks,
cracked welds, corrosion or other signs of deterioration.
OMI Q3508 requires a walkdown and visual inspection of the crane for obstructions, damage,
deterioration or any other condition, which would hinder safe operation of the crane prior to
each daily use.
E003 Failure to wear safety equipment while performing FSOP 6100, USA Florida Safety Operating Plan, Paragraph 1.7, Personal Protective Equipment,
maintenance contains requirements for protection of personnel.
A-35
SAA00029
Rev. A
No.
E004 Personnel Contact With Energized Equipment During KHB 1710.2 “KSC Safety Practices Handbook”, FSOP 6100, USA Florida Safety Operating
Maintenance Procedure, paragraph 1.2.18, Lockout/Tagout, and USA Operating Procedure, OP USA002433,
“Energy Control Program: Lockout/Tagout Requirements for Servicing Equipment and
Machinery” contains requirements for ensuring equipment is safe to work on.
OP USA002433 states that all authorized employees shall complete training courses QG-116-
USA, “Lockout/Tagout”, and annual re-certification course QG-116R-USA, as well as QG-20A-
LSC, “Site/Area Specific Safety Training”. Personnel will lockout and tag any system prior to de-
energizing and then verifies the equipment is truly de-energized before any maintenance
begins. OMI Q6322 requires personnel be trained in Lockout/Tagout procedures.
E005 Exposure to laser radiation (Bridge Skew Alignment The skew alignment system uses a class II, 675 nm, 1mw laser system. FSOP 6100, Vol. 1,
System) paragraph 1.2.16 Ionizing And Non-Ionizing Radiation Protection, covers operations involving
the use of sources of non-ionizing radiation (e.g., lasers, radar, microwave ovens, UV test lights,
etc.) will be conducted in accordance with the provisions specified in OP USA000448, Radiation
Protection Program, KMI 1860.1 and KHB 1860.2, "KSC Non-Ionizing Radiation Protection
Program."
OP USA000448, Paragraph 2.C, states that Class II lasers are exempt from the requirement,
but prohibits pointing the laser at personnel. Vendor documentation also cautions not to look
into the laser beam.
E006 Structural failure of the Hook NASA-STD-8719.9, Standard for Lifting Devices and Equipment, Section 4, Overhead Cranes,
has the following requirements for hooks:
• Daily: Paragraph 4.4.4(d) requires that a certified operator, prior to first use each day the
crane is used, perform an inspection of the hook. The hook shall be visually inspected in
accordance with section 7 of NASA-STD-8719.9.
• Monthly: Paragraph 4.4.5.a(4), requires an inspection for those items in the daily inspection.
• Annual: Paragraph 4.4.5b(1), requires and annual inspection to include those requirements in
the monthly inspection.
Con’t on next page
A-36
SAA00029
Rev. A
No.
Section 7 Hooks:
• Paragraph 7.4.2 Daily Inspections, requires that hook inspections be performed each day the
lifting equipment is used. Inspections include distortion, inoperative latches, wear,
deformation, cracks, nicks and gouges, hook attachment and securing means.
• Paragraph 7.4.3 Periodic Inspections, requirements of the daily inspections, and for wear
exceeding 10 percent (or manufacturers recommendation), bend or twist exceeding 10
degrees from the plane of the unbent hook, an increase in throat opening exceeding 15
percent (or manufactures recommendation).
• Paragraph 7.4.5 NDT, states that the hook shall be given a surface NDT immediately after all
periodic load and proof tests, and prior to further use of the hook. All new hooks shall
undergo a volumetric NDT (if determined necessary by the LDEM and the responsible design
engineering organization) followed by a proof load test, followed by a surface NDT. Personnel
performing NDT shall be qualified and certified.
• Paragraph 7.5.3 states that repaired hooks shall be proof load tested using the associated
crane proof load value.
Maximo Job Plans M_Q6322, S_Q6322, and A_Q6322 performs the monthly, semi-annual and
annual required inspections and NDT per Maximo Job Plan L_Q6322.01.
E007 Gearbox Failure The gearbox is a 1R critical item and the risk of failure has been accepted by the program. See
the CIL Sheet for acceptance rationale.
See Hazard Report LL-0012.
E008 Shaft Breaks See E007.
E009 Key shears See E007.
E010 Failure to perform required inspections, maintenance and NASA-STD-8719.9, Standard for Lifting Devices and Equipment, Paragraph 4.5 Maintenance,
tests requires that maintenance be performed in accordance with the manufactures
recommendations.
Maximo Job Plans M_Q6322, S_Q6322 and A_Q6322 performs monthly, semi-annual and
annual required maintenance, and L_Q6322 performs annual load test and hook magnaflux
check.
A-37
SAA00029
Rev. A
No.
Monthly maintenance will include checking the gearbelt that drive the hoist Selsyn and encoder
shaft, and the Selsyn gearbelt for wear, cracking, proper tension and proper pulley/belt
alignment. On the trolley motor, the Selsyn is chain driven. Check the chain for wear, rust,
corrosion, tension and proper pulley alignment. The bridge Selsyn is belt driven. Check the
bridge Selsyn gearbelt for wear, cracking, proper tension and proper pulley/belt alignment.
Also, the belts in each of the bridge, trolley and hoist Selsyn display panels in the crane cab
control rooms will also be checked for wear, cracking and proper tension.
E011 Structural failure of wire rope NASA-STD-8719.9, Standard for Lifting Devices and Equipment, Section 4, Overhead Cranes,
E024 has the following requirements for wire rope:
• Daily: Paragraph 4.4.4(e) requires that a certified operator, prior to first use each day the
crane is used, perform a visual inspection of the wire rope reeving for proper travel and drum
lay, and inspect wire rope for obvious kinks, deformation, wire clips and/or damage.
• Monthly: Paragraph 4.4.5.a(3), requires an inspection for those items in the daily inspection
and for signs of deterioration and damage as outlined in paragraph 4.5.3.c of NASA-STD-
8719.9. Paragraph 4.5.3 states that the need to replace wire rope shall be determined by a
certified or otherwise qualified person, based on an evaluation of inspection results. If
replaced, a new rope shall be proof load tested using the associated crane proof load value.
• Annual: Paragraph 4.4.5b(1), requires an annual inspection to include those requirements in
the monthly inspection.
Paragraph 4.7v Operations, states that the load shall not be lowered below the point where less
than two full wraps of rope remain on the hoist drum.
Maximo Job Plan M_Q6322 requires a monthly visual inspection and annual lubrication of the
wire rope.
A-38
SAA00029
Rev. A
No.
E012 Operator error NASA-STD-8719.9, Standard for Lifting Devices and Equipment, paragraph 4.6 requires that
only trained and certified operators shall be authorized to operate the crane.
OMI Q3508 requires that personnel have the following certifications:

• Certification 091, Fixed Cranes/Hoist E-Stop Observer.
• Certification 094-1, Fixed Crane/Hoist Opr/Cont/E-stop observer (level 1) for handling critical
flight hardware.
• Certification 094-4, Fixed Crane/Hoist Opr/Cont/E-stop observer (Restricted)
OMI Q3508 states that no lifting operations shall be performed without a ground controller
equipped with communication and an observer / e-stop operator equipped with communication.
Two certified operators will be in each cab during lifting operations. The crane operator will
repeat commands before carrying it out, if it does not impede operations. If communications
between the ground controller and crane operator is lost, operations will be stopped until
communications are re-established.
E013 Hoist Weighted Limit Switch (HWLS) fails to open (fails NASA-STD-8719.9, Standard for Lifting Devices and Equipment, section 4.3, requires an
closed) Operational Test be performed at least every 4 years.
OMI Q3508 requires an operational check of the hoist at the beginning of each operational day.
The weighted limit will be opened and verify no movement is allowed.
OMI Q6322 performs an operational test semi-annually.
E014 Hoist Geared Upper Limit Switch (HGULS) fails to open OMI Q3508 requires an operational check of the hoist at the beginning of each operational day.
(fails closed) Operate the hoist at slow speed into the geared limit switch and verify upper movement stops.
E015 Relay HUS contact fails closed See E014
E016 Limit switch failure (This is the hoist lower limit switch. If NASA-STD-8719.9, Standard for Lifting Devices and Equipment, Section 4, Overhead Cranes,
the hoist were to travel too far down, the wire rope would has the following requirements for wire rope:
begin to reverse wind.) Paragraph 4.7v Operations, states that the load shall not be lowered below the point where less
than two full wraps of rope remain on the hoist drum.
A-39
SAA00029
Rev. A
No.
E017 Failure of primary hoist holding brake • NASA-STD-8719.9, Standard for Lifting Devices and Equipment, Paragraph 4.2.6.b(5)
Mechanical, requires cranes used for critical lifts have two holding brakes, each capable of
bringing a rated load to zero speed and holding it. Holding brakes shall be applied automatically
when power to the brake is removed.
• NASA-STD-8719.0, Paragraph 4.3.3.d states that each brake’s ability to stop and hold a rated
load be demonstrated. The brakes shall be tested to ensure it is able to hold a static load and
stop a dynamic load. The operational test must demonstrate the ability of each brake to stop
and hold a rated load.
NASA-STD-8719.9, Standard for Lifting Devices and Equipment, Section 4, Overhead Cranes,
has the following requirements for brakes:
• Daily: Paragraph 4.4.4(c) requires that a certified operator, prior to first use each day the
crane is used, perform a visual inspection of the brakes for excessive wear and contamination
by excessive lubricants or foreign matter.
• Monthly: Paragraph 4.4.5.a(3), requires an inspection for those items in the daily inspection.
• Annual: Paragraph 4.4.5b(1), requires and annual inspection to include those requirements in
the monthly inspection. In addition, inspect for wear in brakes, and evidence of a malfunction
in braking devices.
Maximo Job Plans M_Q6322, S_Q6322 and A_Q6322 and OMI Q3508 implements these
requirements.
E018 Failure of redundant hoist holding brake See E017
E019 Erroneous operation of crane due to EMI effects An EMI / EMC test was performed to ensure that the crane system meets the requirements of
MIL-STD-461C, Requirement UM05, Class C3 for commercial electrical and electromechanical
equipment. Some Radiated Emissions were above ambient and allowed specification, and it
was recommended that suppression devices be installed on the electromechanical relays, which
was accomplished. However, the test was conducted in an uncontrolled environment with
exposed wiring and the EMI shielded cabinets could not be closed (due to wiring and
requirements to access components inside the cabinets for testing purposes) to provide the
required shielding. Boeing believes that once the wiring is enclosed in conduit and the cabinets
closed, the system should easily meet the EMI requirements.
Radiated Susceptibility tests were accomplished with any signs of susceptibility.
Refer to EMC/EMI Test Report for F2726 RPSF Project for full test report.
A-40
SAA00029
Rev. A
No.
E020 SIS PLC hardware failure The hardware is analyzed in the SAA for failure. In addition, the SIS PLC is a safety PLC with
built-in-test self checking capabilities and certified by TUV.
E021 SIS PLC software error The SIS software has been analyzed as an integral part of the SAA analysis as well as an
operational test performed to ensure proper crane operation. During testing, all detectable
failures were simulated and the capability of the SIS PLC & software to detect, react and safe
the system were verified.
E022 Crane supervisory PLC permissive relay BSP fails closed Dual supervisory PLCs are used. Both PLCs are safety certified by TUV. Each PLC controls two
relays that can halt hoist and bridge & trolley operation.
E023 Operators supervisory PLC permissive relay, BCSP, fails See E022.
closed
E028 Fine / coarse speed select switch fails closed in “coarse” The supervisory PLC / software monitors for the presence of both speed inputs. Should both
speed position speed inputs be present, the SIS PLC will detect a fault condition, remove the permissives and
halt hoist or bridge & trolley operation, as applicable.
Should the control system fail in the coarse speed position only, the operator is trained and
required to switch to fine speed 10 feet from any structure, which would give adequate time for
the operator to detect the failure of the system to change speed and either move the joystick to
the off position, or press the e-stop.
OMI Q3508 requires a pre-operational test of the hoist, bridge and trolley in both directions and
both speeds.
E029 Relay TFS fails open A pre-operational test will be performed prior to each daily use to exercise the bridge, trolley
and hoist directional and speed controls to ensure proper operation.
Additionally, the SIS PLC is utilized to detect operation that is different from what is
commanded, and halt operation if a failure is detected.
E030 Relay TCS fails open See E029.
A-41
SAA00029
Rev. A
No.
E031 Speed potentiometer has high input to Bridge & Trolley A redundant potentiometer supplies an equivalent voltage to the Supervisory PLC for monitoring
PLC for control of TDPM purposes. If the actual speed and direction of travel is not as commanded, the supervisory PLC
will remove power from the bridge & trolley, halting operation.
E032 TDPM internal failure causes trolley motor to operate at A Supervisory PLC (SIS) has been incorporated for monitoring purposes. The PLC compares the
speed greater than commanded actual speed and travel direction with the commanded speed and direction. If the actual speed
and direction of travel is not as commanded, the supervisory PLC will remove power from the
permissives, halting operation. The Supervisory PLC’s are safety certified.
E033 Bridge & Trolley PLC hardware failure causes TDPM to See E032.
operate faster than commanded
E034 Bridge & Trolley PLC software error causes TDPM to The Bridge & Trolley PLC software has been analyzed as an integral part of the SAA analysis as
operate faster than commanded well as an operational test performed to ensure proper bridge & trolley operation. During
testing, all detectable failures were simulated and the capability of the SIS PLC & software to
detect, react and safe the system were verified.
E035 Joystick directional contact failure See E029.
E036 TDPM internal failure See E032.
E037 Bridge & Trolley PLC failure causes motion in the wrong See E032.
direction
E038 Trolley north relay, TN, contact fails closed See E029.
E039 Trolley south relay, TS, contact fails open See E029.
E040 Trolley south relay, TS, contact fails closed See E029.
E041 Trolley north relay, TN, contact fails open See E029.
E042 Trolley secondary motor encoder failure See E032.
A-42
SAA00029
Rev. A
No.
E043 Trolley Selsyn failure See E032.
E044 Trolley joystick fails to return to the center “off” position A Supervisory PLC has been incorporated for monitoring purposes. The PLC software checks
that the output of the potentiometer is zero when the joystick is in the center off position. If
not, the supervisory PLC will remove power from the bridge & trolley, halting operation. The
Supervisory PLC’s are safety certified.
OMI Q3508 requires an operational check of the hoist, bridge and trolley in both directions and
speeds at the beginning of each operational day.
E045 TDPM fails to halt trolley motor operation See E032.
E046 B & T PLC module 6 or 7 failure (direction) See E032.
E047 B & T PLC module 2 or 4 failure (speed) See E032.
E050 Potentiometer output to B & T PLC fails (greater than 0 The joystick uses redundant potentiometers. The redundant potentiometer supplies an input to
volts) the Supervisory PLC for monitoring purposes. If an uncommanded motion were to occur, the
SIS would detect it and remove the bridge & trolley permissives (de-energize relays), which
would remove power from the bridge & trolley control circuits, halting bridge & trolley operation.
E051 Potentiometer output to SIS PLC fails (greater than 0 See E032.
volts)
E052 TDPM inadvertent output See E032.
E053 Joystick failure See E029.
E054 Both trolley joystick potentiometers have non-zero output See E044.
voltage
A-43
SAA00029
Rev. A
No.
E057 North stop limit switch fails closed Maximo Job Plan S_Q6322 performs a semi-annual test of the limit switch for proper operation.
Hard stops are mounted on the crane structure to stop the trolley from running off the rails.
Operator is trained to not exceed normal travel limits.
E058 South stop limit switch fails closed See E057.
E059 Speed potentiometer has high input to Operators See E032.

Supervisory PLC (SIS), for monitoring of trolley speed
E060 Trolley secondary motor encoder error See E032.
E061 Crane supervisory PLC hardware failure See E020.
E062 Trolley Selsyn error See E032.
E063 Operators supervisory PLC hardware failure See E020.
E065 Relay BFS (Bridge Fine Speed) fails open See E029.
E066 Relay BCS (Bridge Coarse Speed) fails closed See E029.
E067 Potentiometer has high input to Bridge & Trolley PLC for See E050.
control of BDPMs
E068 Internal failure in BDPM’s causes bridge motors to operate See E032.
at speed greater than commanded
E069 Bridge & Trolley PLC hardware failure causes BDPM’s to See E032.
E070 Bridge & Trolley PLC software error causes BDPM’s to See E034.
A-44
SAA00029
Rev. A
No.
E071 Speed potentiometer has high output to Operators See E032.

Supervisory PLC (SIS), for monitoring of bridge speed
E072 Bridge motor secondary motor encoder error See E032.
E073 Crane supervisory PLC hardware failure corrupts encoder See E020.
data
E074 Bridge Selsyn outputs erroneous data See E032.
E075 Operators supervisory PLC hardware failure corrupts See E020.

Selsyn data
E077 Bridge west relay (BW) contact fails closed See E029.
E078 Bridge east relay (BE) contact fails open See E029.
E079 Bridge east relay (BE) contact fails closed See E029.
E080 Bridge west relay (BW) contact fails open See E029.
E081 BDPM1 internal failure results in motion in the wrong See E032.
direction
E082 BDPM2 internal failure results in motion in the wrong See E032.
direction
E085 Bridge joystick fails to return to the center “off” position See E029.
E086 BDPM’s fails to halt bridge motors operation See E032.
A-45
SAA00029
Rev. A
No.
E091 BDPM inadvertent output See E032.
E093 Both bridge joystick potentiometers have non-zero output See E032.
voltage
E096 Bridge west travel stop limit switch fails closed See E057.
E097 Bridge east travel stop limit switch fails closed See E057.
E098 Emergency drum brake fails to set during a gearbox The emergency drum brake is a 1R critical item and the risk of failure has been accepted by the
failure program. See the CIL Sheet for acceptance rationale.
E099 Failure to wear fall protection equipment when required FSOP 6100, USA Florida Safety Operating Plan, references USA Operating Procedure OP
USA003132 for Fall Protection Equipment. OMI Q3508 & Q6322 requires use of fall protection
equipment in accordance with the requirements in USA003132.
E100 Load cell failure The Supervisory PLC (SIS) software compares the load cell value with the Hoist Drive Power
Module output, which is a value of the torque supplied to the motor, which equates to the load
on the hook. If the values are not within the prescribed tolerance, each SIS PLC will remove the
hoist permissive (de-energize a relay), which will cause the hoist to halt operation and both
hoist brakes to set.
Should a load cell failure occur, there is a manual load set (keyed) switch that can be used to
select a load input to the HDPM. The key is only available from the system engineer, and is
only used in event of a load cell failure, to lower the load.
E101 Erroneous HDPM motor torque value supplied to SIS See E100.
E102 Motor tach failure The Supervisory PLC (SIS) software compares the motor tach with the drum tach. If the values
are not within the prescribed tolerance, each SIS PLC will remove the hoist permissive (de-
energize a relay), which will cause the hoist to halt operation and both hoist brakes to set.
A-46
SAA00029
Rev. A
No.
E103 Drum tach failure See E102.
E104 Float thumb button fails closed Float mode requires three enables. The Supervisory PLC (SIS) software performs a pre-start
check for the button being closed upon application of power to the crane. If the input to the SIS
is present, then the permissives will be removed, and the crane will not be allowed to operate.
In addition, the SIS software checks to ensure that the hoist rotary switch for float mode is in
the center off position when entering float mode. So, if multiple failures occurred to enable float
mode, there would be no speed input, and the hoist motor would hold zero speed.
E105 Float foot switch fails closed See E104.
E106 Float enable switch contact fails closed on the hoist speed The SIS software checks for no speed input from the hoist speed select switch, or more than 1
select switch input from the switch. Should more than 1 input, or no input, be detected, the SIS will remove
the hoist permissives, halting hoist operation. Also see E021.
E107 Fine / coarse speed select switch fails closed in “coarse” The operator is trained and certified to operate the crane. In addition, the OMI Q3508 requires
speed position the operator to switch to fine speed 10 from any structure. Should the speed continue in coarse
(fast) speed, the operator will have adequate time to detect the failure and stop crane motion
by either moving the joystick to the center off position, or pressing the E-stop.
In addition, the SIS software checks for the presence of both speed inputs at the same time. If
both inputs are simultaneously present, the SIS will detect the failure and remove the system
permissives, halting crane operation. Also, the software is written, that with both inputs
present, fine speed will take precedence.
E108 Hoist relay HFS fails open See E029.
E109 Hoist relay HCS fails closed See E029.
E110 Hoist joystick potentiometer has high input to HDPM for See E032.
hoist motor speed control
E111 HDPM fails to control hoist motor speed correctly See E032.
A-47
SAA00029
Rev. A
No.
E113 HDPM Internal Failure See E032.
E114 Hoist raise relay (HR) fails closed See E029.
E115 Hoist lower relay (HL) fails open See E029.
E116 Hoist lower relay (HL) fails closed See E029.
E117 Hoist raise relay (HR) fails open See E029.
E118 Hoist secondary motor encoder failure See E029.
E119 Hoist motor Selsyn failure See E029.
E120 Hoist joystick fails to return to the center “off” position See E044.
E121 HDPM fails to halt hoist motor operation See E032.
E124 Hoist joystick potentiometer output to the HDPM fails See E050.
greater than 0 volts
E125 Hoist joystick potentiometer output to the SIS PLC fails See E032.
greater than 0 volts
E128 Both hoist joystick potentiometers have non-zero output See E044.
voltage
E133 Crane Supervisory PLC permissive relay HSP fails closed See E022.
E136 Operators Supervisory PLC permissive relay HCSP fails See E022.
closed
A-48
SAA00029
Rev. A
No.
E139 Loss of power to E-Stop circuit, rendering E-Stop Loss of power is detectable on the e-stop pendant. An indicator light on the pendant is
inoperable illuminated while power is available. OMI Q6311 performs semi-annual maintenance and
inspections. See E139.
E140 Failure of E-Stop pendant / receptacle OMI Q6311 provides instructions for visual inspections and operational testing of E-stop system
in the RPSF. Semi-Annual maintenance is performed on the emergency stop pendants and
receptacles. The pendants will be visually inspected for loose hardware, wire connections and
visible damage. Verify 1 ohm or less across the pushbutton when pressed. Install pendant box
into receptacle and verify light on pendant is illuminated. De-press pushbutton on pendant and
verify light is not lit. Receptacles will be visually inspected for loose or missing hardware,
conduit, cracked or distorted housing. Measure voltage and verify 120 +/- 15 VAC is present.
Connect shop aid e-stop pendant to any of the e-stop receptacles that were inspected, depress
pushbutton and verify indicator light is extinguished and power circuit breaker is de-energized.
OMI Q3508 verifies that the E-stop receptacle and pendant are certified, and verifies that the E-
stop indicator lamp is illuminated, indicating that power is available for E-stop operation.
A-49
SAA00029
Rev. A
Appendix B. CRITICAL ITEMS LIST

SAA00029
Rev. A
USA Ground Operations 1R Non-CIL Sheet
1R Non-CIL Item: Gear Case Criticality Category: 1R

NASA Part No: None Total Quantity: 2
Mfg/Part No: Fulton / 1274-3A
System: 200-Ton Bridge Crane
Find No. Qty Area PMN Baseline Drawing / Sheet

None 1 RPSF K60-0562 400.15 Fulton Shipyards
Dwg 1274 /
None 1 RPSF K60-0563 400.15 Fulton Shipyards

Dwg 1274 /
Function:
Transmits power from the hoist motor to the drum.
Failure Mode No. Failure Cause Detection Method Crit

Failure Mode Failure Effect Time to Effect Cat
00029.001 Excessive gear wear, structural failure of gears or Supervisory PLC monitors 1R
shafts for over-speed.
Gear
Disengagement Load would free fall. The hoist motor brakes would be Seconds
ineffective. Emergency drum brake would
automatically be activated and safe the load.
ACCEPTANCE RATIONALE
Redundancy Screens: Pass/Fail
A Item is verifiable during normal ground operations Pass

B Item loss is readily detectable by the ground crew Fail
C Loss of all redundant items cannot result from a single cause Pass
Conforms to NSTS 08080-1: N/A
Test and Inspection:

• OMRS File VI requires the performance of an annual rated load test, and an operational test.
B-1
SAA00029
Rev. A
USA Ground Operations 1R Non-CIL Sheet
1R Non-CIL Item: Brake, Drum, Emergency Criticality Category: 1R

NASA Part No: None Total Quantity: 2
Mfg/Part No: Caliper Co / 49RC35K
System: 200-Ton Bridge Crane
Find No. Qty Area PMN Baseline Drawing / Sheet

None 1 RPSF K60-0562 400.15 80K59317 / 1
None 1 RPSF K60-0563 400.15 80K59317 / 1
Function:
The emergency brake is hydraulically released and spring set. Springs press the caliper against the drum.
While the crane is in operation (powered up) the emergency brake is normally released by an energized
solenoid valve, which applies hydraulic pressure against the spring action of the caliper, thus holding the
emergency brake in the released position. In event of an overspeed of the hoist drum, loss of power to the
crane or if the emergency stop button is pressed, the solenoid valve will be de-energized, releasing the
hydraulic pressure, allowing the brake to set and hold the load.
Failure Mode No. Failure Cause Detection Method Crit

Failure Mode Failure Effect Time to Effect Cat
00029.002 Solenoid valve fails to relieve hydraulic pressure to Visual 1R
allow the e-brake to set, spring failure in caliper, worn
Fails To Engage brake pads, overspeed detection circuit failure Seconds
Loss of emergency drum brake capability. Requires

prior failure of both motor brakes. Triple failure
required.
Load would drop uncontrolled if coupled with failure of

the gear case. (Motor brakes would be ineffective)
ACCEPTANCE RATIONALE
Redundancy Screens: Pass/Fail
A Item is verifiable during normal ground operations Pass

B Item loss is readily detectable by the ground crew Fail
C Loss of all redundant items cannot result from a single cause Pass
Conforms to NSTS 08080-1: Yes
Test and Inspection:

• OMRS File VI requires the performance of an annual rated load test and an operational test to ensure
that the emergency brake can hold the rated load.
B-2

200-Ton Bridge Crane at RPSF

Uploaded by

Copyright:

Available Formats

You might also like

200-Ton Bridge Crane at RPSF

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

200-Ton Bridge Crane at RPSF

Uploaded by

Copyright:

Available Formats

SAA00029

SYSTEM ASSURANCE ANALYSIS

200-TON BRIDGE CRANE

ROTATION, PROCESSING and SURGE FACILITY (RPSF)

Baseline No.: 400.15 PMN: K60-0562

1 SYSTEM ASSURANCE ANALYSIS SUMMARY .....................................................5

2 SYSTEM DESCRIPTION .....................................................................................6

3 ANALYSIS GROUNDRULES .............................................................................19

Appendix A. FAULT TREE AND HAZARD ANALYSIS

Table 1. Finding Summary .................................................................................................................. 5

1 SYSTEM ASSURANCE ANALYSIS SUMMARY

Table 1. Finding Summary

1.2 AREAS OF CONCERN

There were no Areas of Concern identified with this system.

1.3 DOCUMENTATION LIST

The following operations utilize the 200-Ton crane:

2.3 15-Ton Hoist

2.4 200-Ton Hoist

2.4.1 Emergency Drum Brake

2.4.2 Float Mode

2.4.4 Electrical Controls

Crane Operational Speeds

Coarse 0 – 30 fpm 6.0 in/sec 3 seconds (or less) 18 inches

Coarse 0 – 7 fpm 1.4 in/sec 3 seconds (or less) 4.2 inches

High* 0 – 10 fpm 2.0 in/sec 3 seconds 6 inches

Figure 1. RPSF 200-Ton / 15-Ton Bridge Crane

Figure 2. Removal of railcar cover

Figure 3. Lift of SRB Segment

Figure 4. SRM Segment Lifting Operation

Figure 5. Aft Skirt Handling

Figure 6. RPSF Crane Control Panel

4 FAILURE MODES AND EFFECTS ANALYSIS

4.1 CRITICALITY ASSESSMENT

Electrical Power 200 Ton Main Hoist

Laser Skew Tracking

Load to be lifted Flight and non-flight NA NA NA

Mechanical failure of the bridge resulting in a sudden N/C

Mechanical failure of the trolley resulting in a sudden N/C

Control & Supervisory System:

Input to PLC in FIG. 11 460 VAC Trolley Trolley

Connection on current Sprocket

Motor Overheat RPSF Crane Block Diagram

Figure 8. Trolley Control System

Trolley Block Diagram

Trolley_finespd_select Scale trolley

Trolley SIS Software diagram

BB1R BB2R BFS

Bridge Drive Ready

460 VAC Belt

Bridge Motor Drive 1 shown. Bridge Motor Thermal Switch

Figure 9. Bridge Control System

Bridge FeedBack Primary

Bridge Block Diagram

Bridge_finespd_select Scale bridge

Bridge SIS software diagram

Relays Hoist Hoist Hoist

Raise / Lower Relays A

Figure 10. Hoist Control System